Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

The W3C standard, which remains very much a preliminary work in progress, included input from Facebook, Microsoft, Mozilla, Google and others, and would require companies to obtain “affirmative, informed consent” in order to follow the web-surfing habits of uses who adopted the “Do-Not-Track” tools.  As the working group notes the draft "does not represent working group consensus by any stretch of the imagination, though an attempt has been made to highlight areas where issues have been identified and present multiple alternatives if they have been discussed."

Nevertheless, with the finalized Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers FTC  report expected to be released in the coming month, the W3C's DNT standards will likely take on new importance in 2012. 

To discuss the W3C's DNT mechanisms, the FTC report or the potential impact on your online operations feel free to contact me or any of the attorneys at the InfoLawGroup.

Background

Why are privacy-related legal issues a key concern in the social media context? The entire marketing model inherent in the use of social media involves direct communication with, and gathering key information about, clients and customers in order to more efficiently and effectively deliver goods and services. The more granular and accurate the information about a social media user, the more valuable to companies seeking to leverage it. Naturally, as they collect and use information about social media users, organizations will come into contact with sensitive personal information about those users. This sensitive information goes beyond “traditional” personally identifiable information, and can include geo-location information, photographs and videos, relationship information (friends of friends), online behavioral information, political viewpoints and more.

The types of information available to a company employing a social media strategy will vary based on the platforms used, the method of interaction within a given platform (e.g. fan page versus company profile), technical constraints and policies, and the nature of the strategy itself. In analyzing privacy legal issues, organizations should ask the following questions:

• What types of personal information will the organization have access to?

• What types of personal information will the organization collect, and how will it use that information?

• What legal restraints exist with respect to the collection and use of the personal information (e.g. regulations, contracts, internal policies, etc.)

While this post focuses on privacy legal risk, it must be noted that the collection and use of personal information derived from social media may pose additional moral, reputational and business issues (which go beyond the scope of this article). As such, even if a practice is legal, the “big picture” must always be taken into account.

Key Privacy Legal Issues

• Social Media Platform Terms of Use

The first place to look for privacy legal obligations are the terms of use of a particular social media platform. Social media platforms attempt to balance privacy concerns of their users against commercial use of user information by laying out specific limitations and conditions related to the collection and use of personal information. For example, for applications built by companies for use in Facebook, organizations may not use a user’s friends list outside of the application, even if a user consents to such a use (organizations, however, may use connections between two users that have both connected to the application). As a general rule, companies can only use the Twitter API to reproduce, modify, create derivative works, distribute, sell, transfer, publicly display, publicly perform, transmit, or otherwise use Twitter content.

In addition, certain privacy-related terms and conditions may apply depending on the specific social media activities or functionality a company leverages within a social media platform.   Organizations seeking to leverage social media need to understand and implement the (sometimes confusing and often very detailed) rules of multiple platforms, and for multiple functionalities and activities within a platform.

For example, on Facebook, organizations that set up a Fan Page are not allowed to collect information from users unless they have obtained their consent.  In contrast, companies wishing to develop and launch a Facebook application can only request information from users that is necessary to run the application, but do not need consent for every data collection. Facebook also imposes certain limits on what and how personal information can be collected when using a Facebook application. For example, for all data obtained through the Facebook API except “basic account information,” organizations must obtain explicit consent from the user to use that data for any purpose other than displaying it back to the user in the application. Companies are prohibited by Facebook from soliciting or collecting user profile login information, such as usernames or passwords.  Consider the number of platforms and the number of rules within a platform, and the fact that these rules often change, and it becomes apparent that compliance can get tricky.

Unfortunately, the failure to follow these privacy-related terms of use can (and already has) get companies into legal trouble. That trouble can arise directly with the social media platform provider in the form of a banning or a breach of contract action. In addition, a violation of the obligations set forth in a social media platform's terms of the use may be alleged as the basis for lawsuits against companies using social media.

• Regulatory Privacy Issues

An organization’s social media activities may also raise regulatory concerns. In the United States, the FTC has not been shy about bringing actions under the FTC Act for “unfair” or “deceptive” business practices. As with a normal website privacy policy, if an organization does not follow its privacy policy related to a social media application and personal information related thereto, the FTC could allege that such failure is a deceptive trade practice.

A particular area of concern for violations of privacy policies arises when companies integrate social media functionality directly into their websites. Some company websites may embed social media functionality that allows users to comment on a website post or article using Facebook or Twitter’s comment platform. The user comments are displayed both on the website and on the social media platform. The question is to what extent does the website’s general privacy policy apply to the information gathered through the embedded social media platform. The second question is whether the organization’s handling and use of such personal information violates the website’s general privacy policy.   As the lines between an organization's general website presence and their social media presence blur even more over time, consistent privacy practices will become increasingly important (note:  InfoLawGroup has developed privacy policy language to address this situation).

Beyond general regulatory authority present in consumer protection acts, some specific privacy regulations may apply in the social media context. For example, for employers that use social media to vet potential employment candidates, the information obtained from a social media site may constitute a “consumer report” under the Fair Credit Reporting Act and similar state laws (this topic is discussed in more detail in the upcoming part of this series concerning social media and employment issues). In addition, there has been some activity around the Children's Online Privacy Protection Act (COPPA) and social media, including FTC actions against a social media site for children and a mobile phone game developer that created games for children.  In fact the FTC recently released proposed revisions to COPPA intended to address social media that is used often by children.

The collection and dissemination of information from social media users may be even more problematic when information concerning European users is at issue. Under the EU Data Protection Directive, personal data is defined as "any information relating to an identified or identifiable natural person”. This definition is generally much broader than most U.S. laws that reference personally identifiable information (those definitions typically require a first name/first initial and last name in combination with other specified data elements such as social security number, financial account number, driver’s license number, etc.). Regulators in Europe have reported that information derived by or from social media sites constitutes personal data under EU law.  For example, one German state has indicated that the “Like” button on Facebook is in violation of German privacy law. If the EU Directive does apply to information from a social network, the transmission of personal data of a European resident to the United States could violate various requirements concerning transborder data flow.

Finally, as the definition of personal information expands in the United States (the FTC has defined personal information broadly in the social media context to mean “information respondent collects from or about an individual”), it is likely that information relating to individuals collected from social media activities will be more closely regulated.  It is therefore important to keep up with the regulatory environment and legislation being proposed on both the Federal and State levels.

Conclusion

Participation and a presence in the social media context can be very valuable for organizations, and that value is likely to increase significantly in the future. Most organizations will seek to discover as much information about social media users as possible, and as more of our lives (social and commercial) are lived on the Internet, this information will be highly sought after.

This of course will raise significant privacy issues; privacy issues that current law may not fully address. In the U.S., we anticipate an evolution in the social media context that will initially involve regulators utilizing their broad and general regulatory authority (e.g. the FTC Act), and then may result in the passage of more specific laws and regulations. Even without specific regulatory constraints, organizations looking to leverage social networking today should carefully review the social media platform TOUs and their existing privacy policies, and develop policies and practices that address social media where appropriate. In addition, companies should analyze how existing laws in relevant jurisdictions might apply to their collection, processing, storage and distribution of personal information obtained from social media.  A reasonable balancing of these privacy legal risks against the commercial advantages to be derived from social media is the best course of action.

Definitions

The FTC proposes to modify particular definitions to update the Rule’s coverage and to streamline the Rule’s language. The COPPA Rule requires websites and online services to obtain parental consent before collecting personal information from children. The FTC proposes to change the definition of “personal information” to include geolocation information, photos and videos containing a child’s image, audio files containing a child’s voice, and certain types of persistent identifiers used for functions other than, or in addition to, support for the internal operations of a website or online service. In addition, the FTC proposes to modify and streamline the definition of “collects or collection.” First, the FTC aims to clarify that the definition includes all means of passive online tracking, irrespective of the technology used. Additionally, the current definition of “collects or collection” includes enabling children to publicly post personal information (e.g., on social networking sites or on blogs), “except where the operator deletes all individually identifiable information from postings by children before they are made public, and also deletes such information from the operator’s records.” Instead of a “100% deletion standard,” the FTC is proposing a “reasonable measures” standard. This means that websites and online services will not be deemed to be “collecting” children’s personal information if they employ technologies “reasonably designed to capture all or virtually all personal information inputted by children.” This change is intended to lower the hurdle to websites’ development and to encourage the development of systems “to detect and delete all or virtually all personal information that may be submitted by children prior to its public posting.”

Parental Notice

COPPA requires that websites and online services notify parents of their online information practices in two ways: on the website or online service (usually in a privacy policy), and in a “direct notice” delivered to a parent whose child seeks to register on the site or service. The FTC proposes to revise the notice requirements to reinforce COPPA’s goal of providing complete and clear information in the direct notice, and to rely less heavily on the online notice or privacy policy as a means of providing parents with information about operators’ information practices.

Parental Consent

Central to COPPA is the requirement that websites and online services must obtain parental consent before collecting, using, or disclosing children’s personal information. The FTC proposes to add several new methods to obtain parental consent to the Rule’s current list, including “electronic scans of signed parental consent forms, video-conferencing, and use of government-issued identification checked against a database, provided that the parent’s ID is deleted promptly after verification is done.” The FTC also proposes to remove the “e-mail plus” method of parental consent because it “has inhibited the development of more reliable methods of obtaining verifiable parental consent.”

Confidentiality and Security Requirements

To strengthen the Rule’s confidentiality and security requirements, the FTC proposes to require websites and online services ensure that any service providers or third-parties to whom they disclose a child’s personal information have in place reasonable procedures to protect the information. Additionally, the FTC proposes to add a new data retention and deletion provision. The new provision requires websites and online services to retain children’s personal information for only as long as is reasonably necessary to fulfill the purpose for which the information was collected. The new provision also requires websites and online services to delete children’s personal information by taking reasonable measures to protect against unauthorized access to, or use of, the information in connection with its deletion.

Safe Harbors

The COPPA statute established a “safe harbor” for participants in Commission-approved COPPA self-regulatory programs. The Rule provides that websites and online services fully complying with an approved safe harbor program will be “deemed to be in compliance” with the Rule. The FTC proposes to strengthen its oversight of self-regulatory safe harbor programs by mandating that, at a minimum, safe harbor programs conduct annual reviews of each of their members’ information practices and periodically report the results to the FTC.

Although the proposed amendments expand and clarify the Rule in several ways, the breadth of COPPA’s coverage remains unclear. For example, the FTC has indicated it will continue to consider whether short message services and multimedia messaging services are covered by COPPA.

The FTC is seeking comments on the proposed revisions, which are due on or before November 28, 2011.

Changing Opinions

This is not the first time the FTC has issued a comprehensive FCRA report. Given the large volume of guidance materials it has amassed over time, the FTC released “Commentary on the FCRA ” in 1990 – a compilation of statements regarding how the FTC would interpret and enforce the FCRA. Much has changed since the FTC issued the 1990 Commentary: the FCRA has been significantly amended, the FTC has issued numerous new interpretive guidance documents, and developments in technology and industry practices have rendered parts of the Commentary obsolete or outdated. As a result, the FTC withdrew the 1990 Commentary when it issued the new staff report. The new staff report provides an overview of the FTC’s role in enforcing and interpreting the FCRA and includes a section-by-section summary of the FTC’s interpretations of the Act. The interpretations in the staff report differ from the 1990 Commentary in five significant areas, described below.

Commercial Transactions. The FCRA applies to written, oral, or other communications of information by consumer reporting agencies (CRAs) that fit the definition of “consumer reports.” To be considered a consumer report, information communicated by a CRA must bear on a consumer’s credit worthiness, standing, or capacity, character, general reputation, personal characteristics, or mode of living. Additionally, the information must be used or expected to be used to establish the consumer’s eligibility for credit or insurance to be used primarily for personal, family, or household purposes, employment, or other purposes specifically identified in the FCRA. One point of contention has been whether and how the FCRA applies in the context of an application for business credit as opposed to personal credit. Creditors will often obtain a credit report on the sole proprietor or other principal of a business and use the report to determine whether to extend credit to the business. It was the FTC’s position in the 1990 Commentary that “a report on a consumer for credit or insurance in connection with a business operated by the consumer is not a consumer report.” Courts have held that the purpose of the FCRA “is to protect consumers from inaccurate or arbitrary information in a consumer report which is used as a factor in determining an individual's eligibility for credit, insurance or employment” and the FCRA “does not apply to reports used for business, commercial or professional purposes.” For example, in Wrigley v. Dun & Bradstreet, Inc. a commercial reporting service issued credit reports to subscribers who used the information when deciding whether to extend commercial credit to a construction company. The reports contained the personal financial information of the construction company’s president. The court held that the credit reports were for the extension of commercial credit – even though the reports contained personal credit information – therefore the FCRA did not apply.

The staff report details how the FTC currently interprets the FCRA’s application to commercial transactions. To be sure, “a report that concerns the consumer’s business history (as opposed to personal credit or employment history) that is collected and provided by a commercial reporting service solely for use in business transactions is not a ‘consumer report’” and the report provider is not a CRA. However, “a report from a CRA on the personal credit of a consumer to a business credit grantor is a ‘consumer report’ regardless of the purpose for which the information may in fact be used.” This means that reports to business credit grantors by commercial reporting services that compile data and provide reports only for commercial purposes are not “consumer reports” subject to the FCRA. On the other hand, a report on an individual based on information that was collected for the purpose of reporting on that individual is a consumer report and the FCRA applies, even if the report is furnished in connection with a commercial transaction.

Joint Users. Does an entity become a CRA by virtue of sharing a consumer report with another party? According to the FTC’s prior interpretation, a user could share a consumer report with another user without becoming a CRA under certain circumstances. An agent could share with its principal, an employee with employer, and two users could share a consumer report for the same permissible purpose with the consumer’s consent. In these scenarios, the entity sharing the report and the recipient were deemed “joint users” and the sharing entity escaped CRA status. The FTC has now abandoned the “joint user” terminology, focusing instead on whether an entity meets the statutory definition of a CRA. If a user shares a consumer report “for the purpose of providing consumer reports to third parties,” the user may be deemed a CRA. However, a user who obtains a consumer report and shares it with another simply to effectuate a particular transaction initiated by the consumer "is not providing consumer reports to third parties” and, therefore, is not a CRA.

Departments of Motor Vehicles. The FTC no longer takes the position a DMV is a CRA when it provides motor vehicle reports for insurance underwriting purposes – even if it does so for a fee. Although a DMV or other government agency that supplies public records to third parties might be considered a CRA based on a literal reading of the FCRA, the staff report notes that such an interpretation would “lead to absurd results.” If government sources of public record information were CRAs, “government agencies would be required to suppress accurate public record information more than seven years old” and “those who provide information for use in public records – such as police officers – would be deemed furnishers, subject to a host of responsibilities under the FCRA.”

Identified Information. The FTC generally considers “credit guides” – listings that rate how well consumers pay their bills – to be consumer reports subject to the FCRA. However, the FTC previously did not consider credit guides to be consumer reports if they were coded to prevent the disclosure of a consumer’s identity. The FTC now takes the position that that credit guides (as well as other information) that do not identify consumers by name may constitute consumer reports if such guides can “otherwise reasonably be linked to the consumer.” The FTC voiced its concern that coding (particularly by Social Security number or other sensitive data) could readily lead to the disclosure of a consumer’s identity due to advancements in technology and the increasing availability of consumer data.

New Interpretations

The staff report addresses several issues not covered by the 1990 Commentary in an attempt to provide clarity regarding FCRA provisions that have generated a significant number of questions from the public. Importantly, the staff report delves into detail regarding when it is permissible for CRAs to issue (and users to obtain) consumer reports under the FCRA. One permissible purpose to obtain a consumer report is “in connection with a credit transaction involving the consumer on whom the information is to be furnished and involving the … review or collection of an account of the consumer.” The staff report states that the “review” permissible purpose applies only when a creditor has an existing account relationship with a consumer and uses a consumer report solely to decide whether to modify the terms of the account. This means that even if a creditor has a permissible “review” purpose to obtain a consumer report, it may not exploit the report to market other products or services to the consumer. CRAs are also permitted to furnish a consumer report according to the written instructions of the consumer to whom the report relates. The staff report states that written consent only qualifies as an “instruction” if it clearly authorizes the issuance of a consumer report on that consumer. For example, “I authorize you to procure a consumer report on me” is sufficient if it is in writing, but the consumer’s signature on a form stating “I understand that where appropriate, credit bureau reports may be obtained” is not. The FTC highlights a consumer’s electronic signature may be an acceptable method of providing written instructions under FCRA. To be valid under the ESIGN Act, electronic authorization must be in a form that can be retained and retrieved in a perceivable form. The FTC notes “whether an e-mail, a mouse click ‘yes,’ or other electronic means clearly conveys the consumer’s instructions depends on the specific facts.”

The staff report also reflects the statutory modifications made to the FCRA over the years. Recently, the Dodd-Frank Act amended the FCRA to impose new requirements on users of consumer reports. The FCRA requires a person taking adverse action based in whole or in part on a consumer report to provide adverse-action notice to the affected consumer. Under new rules that took effect July 21, 2011, users of credit scores must include those scores (and related information) in adverse-action notices. This requirement also applies to adverse-action decisions not related to credit. Consequently, when a user takes an adverse action based on consumer report information, regardless of the weight the credit score plays in the decision, the user must provide the consumer with a host of new information. Additionally, the FCRA requires creditors to provide risk-based pricing notice to consumers when, based on the report, the creditors grant credit or amend existing credit on terms that are “materially less favorable” than the most favorable terms obtained by a substantial portion of consumers. The Federal Reserve Board and the FTC recently amended their respective adverse action and risk-based pricing rules to reflect the recent FCRA amendments. The new rules raise a host of questions, many of which are addressed in the staff report. As the new rules apply when a credit score is used in the evaluation of a consumer, the staff report squarely addresses what constitutes a credit score and when a credit score is considered “used” under the rules. The staff report clarifies that a score that is not used to predict creditworthiness, such as an insurance score, is not a credit score and need not be disclosed. The staff report also makes clear that “use” occurs at a very low threshold - if a credit score plays any role in a user’s decision regarding a consumer then it must be disclosed.

Future of FCRA Interpretation and Enforcement

The newly created CFPB is now the primary agency responsible for interpreting the FCRA. The CFPB is vested with exclusive rulemaking authority over all federal consumer financial law – this includes the authority to issue rules under existing consumer protection statutes such as the FCRA (with limited exceptions) as well as new rules to prohibit unfair, deceptive or abusive acts or practices. The primary role of the CFPB will be supervision in order to “prevent harm to consumers from unlawful financial practices and ensure that markets for consumer financial products and services are fair, transparent, and competitive.” To accomplish this, CFPB is assembling a team of examiners that will directly observe the business practices of entities subject to CFPB jurisdiction. Examiners will assess institutions’ compliance with the FCRA and other federal consumer protection laws. According to the CFPB website, the agency will require businesses to change their practices to comply with the law and may also “require improved employee training, implementation of better policies and procedures or quality controls, and in more serious cases, monetary compensation to consumers.”

Since the adoption of the FCRA, the FTC has enforced the Act at the federal level by bringing enforcement actions against CRAs, entities that furnish information to CRAs, and users of consumer reports such as creditors and employers. The CFPB and FTC now have joint FCRA enforcement authority over a host of industries. As we noted in a previous post, the FTC is actively addressing FCRA compliance and we expect its efforts to extend beyond traditional CRAs. Earlier this year the FTC found that Social Intelligence Corporation - an Internet and social media background screening service - is a CRA subject to the FCRA. Like the FTC, we expect the CFPB will broadly interpret and actively enforce the FCRA. In so doing, the CFPB may give heavy weight to the FTC’s interpretations of the FCRA, making the staff report invaluable to businesses handling consumer report information. With new FCRA rules in place and an additional agency tasked with FCRA enforcement, businesses are wise to determine whether they are subject to the FCRA and to consider FCRA compliance.

The Experiment

Many websites use machine-readable codes that tell a browser their privacy policies - such as whether a website sends cookies and with whom the website shares personal information gained from those cookies. Websites commonly use Platform for Privacy Preferences (P3P) compact policy “tokens” such as “NID” (no identified user information collected), which represent a standardized privacy expression defined in P3P specifications. The authors of the study used a modified version of Privacy Finder, a search engine that annotates a user’s Google or Yahoo! search results with “privacy meter” icons. Privacy Finder generates these icons through an automated analysis of the P3P policies of the websites a user visits. These icons graphically represent how well a website’s privacy policy matches preferences specified by the user. The authors configured their search engine to calculate privacy warnings based on a website’s sharing of personal financial information, purchase information, or personally identifying information; a website’s refusal to allow a user to remove the user’s personal information from marketing lists; and a user’s inability to view her personal information on a website.

Three groups of participants (two control groups and one test group) using the modified search engine were told to search for products online and purchase those products using their own credit cards. All participants were instructed to purchase both an eight-pack of Duracell AA batteries and the “Pocket Rocket Jr.,” a vibrating sex toy. Both products average about $15 including the cost of shipping and are widely available online. One control group did not see any privacy meter icons when they searched for the products to purchase. The other control group saw the icons, but was told that the icons merely indicated websites’ “handicap accessibility” - a characteristic chosen as a control condition because it’s considered to be generally irrelevant to most online consumers. The test group saw the icons and was told that the icons indicated the degree of websites’ privacy protections. All participants in the study could access merchants’ privacy policies by clicking on privacy policy links displayed on the websites they visited.

The results of the study offer new insight into consumers’ valuations of personal data and online behavior. Control group participants generally purchased their products from the websites offering the lowest prices. In contrast, test group participants - who saw the privacy meter icons and knew that the icons represented the level of privacy protections utilized by the websites - were more likely to make purchases from websites offering medium or high levels of privacy, even if those sites charged higher prices for identical products. Additionally, participants demonstrated that they would spend an average of 59 to 62 cents more to buy the same product from websites offering stronger privacy protections.

The Take Away

How can businesses capitalize on these findings? The study suggests that businesses that incorporate "privacy by design"  into their online business models help promote greater consumer awareness of and control over personal information, attracting privacy-conscious consumers. Developing and implementing a website privacy policy is one aspect of the “privacy by design” framework – how a business collects and handles data online is more transparent with a privacy policy in place. While displaying a privacy policy is a good first step toward transparency, 70% of people surveyed by the Annenberg Public Policy Center of the University of Pennsylvania disagreed with the statement that “privacy policies are easy to understand.” Accordingly, if a merchant seeks to promote its online privacy practices in order to boost sales, consumers must be able to identify and understand the merchant’s privacy practices for those practices to affect consumer behavior. Typically, however, online merchants display only small links to their privacy policies at the bottom of their websites. As such, privacy policies are often overlooked by consumers. Recently, the Federal Trade Commission and consumer advocacy groups have been advocating just-in-time notice as a means of making information about privacy practices more transparent and accessible to consumers. The results of the Carnegie Mellon study seem to confirm the benefits of this approach. The study indicates that purchasing decisions may be affected when privacy practices are presented to consumers in a user-friendly fashion when they are browsing online.

The study also suggests that businesses “may use technological means to showcase their privacy-friendly privacy policies and thereby gain a competitive advantage” and “maximize profits.” Specifically, “if the adoption of P3P increases, businesses protective of customer privacy may be able to attract consumers by posting their P3P policies and signaling good privacy practices.”
 

Although privacy by design isn’t set in stone (yet), start-up companies seeking to collect and use personal information as part of their business plan may want to consider incorporating privacy by design into their everyday business practices. Similarly, as part of their due diligence process, venture capital firms scrutinizing startups seeking to leverage personal information would be well-advised to determine if privacy is being “baked into” into the products and services being offered by such startups. It may be both difficult and costly for companies to implement privacy protections retroactively if privacy concerns are overlooked during the early stages of business planning. Start-ups have the advantage of building privacy protections into their business models from the outset, which can keep those companies out of trouble in the form of litigation or agency enforcement. Privacy-conscious VCs will be more inclined to fund start-ups that reduce risk by proactively address privacy issues and potential liability. In turn, VCs that scrutinize whether privacy is part of a start-up’s business plan will be able to better protect their investment (and their investors).

So what does privacy by design mean? How can start-up companies incorporate privacy by design principles into their business practices to attract VC funding? How should privacy and security legal risks (and solutions) be written into a start-up’s business plan? This post tries to answer these questions.

Step 1 - Understand Your Business Model.

Privacy by design advances the view that privacy assurance should be companies’ default mode of operation. To build privacy protections into a business model, organizations (particularly entrepreneurs seeking VC funding) should know their business models better than anyone else. Companies must understand how they will interact with consumers at every step of each transaction when products and services are under development. From consumer solicitation to the sale of products or services, an entrepreneur should consider evaluating whether and how his or her company collects, maintains, shares, or otherwise uses consumer data. Entrepreneurs may want to conduct a run-down of any and all data involved in their business transactions, including personal consumer data (names, addresses, credit card information, etc.) as well as any other information that can be linked to a specific consumer, computer, or other device. A keen understanding of the technology used by the start-up is also crucial as the functionality provided by such technology (or the lack of certain functionalities) may impact privacy, including the ability of consumers to make decisions about their personal information. By understanding the data and technology involved at each step of the way, entrepreneurs will be more likely to spot potential risks their companies face. Companies that fully understand the scope of the data they collect and how that data is handled will be in better positions to address consumer concerns and respond to objections. Most importantly, they will be in a better position to address legal requirements and build privacy into their products and services from the outset.

Step 2: Understand Your Market.

Really understanding your business model also means understanding the market - including the wants and needs of target consumers and the privacy-related activities of similarly situated companies. Consumers are increasingly wary of privacy issues triggered by their online participation. Start-ups may want to tailor their approach to privacy issues based on their target audience, as various studies show that different subsets of the population may have different privacy expectations and concerns.

For example, a Webroot study concluded that mobile device users over the age of 39 are more concerned about the possible risks associated with geolocation tools compared to 18- to 39-year-olds. Teens may be beginning to respond to privacy concerns on online – TRUSTe found that about 64% of teens use privacy controls on social networks. The platform for personal information collection, storage and processing may also impact the scope of consumer concerns. A new report from the market research firm Nielsen confirms that many Americans have strong concerns about losing some privacy by using location-based mobile services. According to the report, 59 percent of women and 52 percent of men reported having privacy concerns with location-based services and check-in apps. Only 8 percent of women and 12 percent of men reported that they are not concerned with the privacy implications of location-based services and check-in apps.

Consumer outcry and regulatory pressure have forced companies such as Facebook and Google to change their practices, offering consumers privacy controls that are simpler and easier to use. However, while many studies and surveys conclude that people are worried about privacy, people continue to use social media sites, location-based apps, and check-in services despite their concerns. From a market point of view, it’s important for companies to attempt to determine the privacy protections consumers want, as well as what practices may be deemed invasive and “over the line” which could result in backlash.

Determining whether products and services are “over the line” is also valuable for attracting business deals and securing investments. According to a report by the Ponemon Institute, privacy issues have prompted marketers to use online behavioral advertising 75% less than they would otherwise. However, in a previous post we noted that despite consumer concerns, Internet tracking companies continue to secure new investments from VC firms. Recently, a Wall Street Journal article noted that VCs in Silicon Valley are dumping money into social start-ups promoting mobile apps. If they haven’t already, VCs may begin to factor privacy concerns into their due diligence process to avoid future consumer and agency backlash that could potentially devalue their investments. As such, incorporating privacy by design - assessing privacy issues and implementing privacy protections every step of the way – may help attract funding and avoid potential liability.

Understanding the market also means understanding the competition. From start-ups to major market players, many companies are offering privacy protective products and services in response to consumer demand. Companies should conduct thorough due diligence regarding the data practices of established, similarly-situated companies. And a thorough understanding of the market isn’t only about evaluating competitors that exist today – companies would be wise to consider what potential business combinations could become competitors in the future.

Step 3 – Understand the Legal Risk Environment.

Keeping tabs on the privacy legal landscape is important for companies and investors looking to capitalize on consumer demand, particularly those interested in tapping into online markets. Additionally, agency enforcement is on the rise. As such, researching the legal and regulatory environment is a crucial part of due diligence for entrepreneurs and VCs alike.

Multiple privacy bills from both the House and the Senate have recently been introduced. In February, Representative Jackie Speier (D-CA) introduced the “Do Not Track Me Online Act of 2011” that would give the FTC authority to establish an online do-not-track system, giving consumers the ability to prevent the collection and use of data on their online activities. Senators John Kerry (D-MA) and John McCain (R-AZ) introduced the “Commercial Privacy Bill of Rights Act of 2011” in April, which would give the FTC significant authority to create rules as to how businesses collect, use, transfer and maintain personal information (for a summary of the bill, click HERE). This month, Senator Jay Rockefeller (D-WV) introduced the “Do-Not-Track Online Act of 2011,” which would create a "universal legal obligation" for companies to honor users' opt-out requests on the Internet and mobile devices, and would give the FTC the power to take action against companies that don't comply. Also this month, Representatives Edward J. Markey (D-MA) and Joe Barton (R-TX) introduced a draft of the “Do Not Track Kids Act of 2011” which would prohibit companies from tracking children on the Internet without parental consent, restrict online marketing to minors and require an "Eraser Button" that would allow parents to eliminate kids' personal information already online. An underlying policy of all of this proposed legislation is the idea that companies should be required to give consumers more notice about the information that is being collected about them, as well as the ability to control such collection.

While much attention has been given to privacy and security legislation at the federal level, there has been a renewed sense of vigor on the state level as well. The privacy legal risk environment is constantly in flux, and the state of law may vary by jurisdiction. For example, Hawaii’s information privacy proposed bill would require breached entities to provide credit monitoring and call center services to impacted individuals. In Colorado, a proposed bill takes a new approach to incentivizing companies to implement good security (for a summary of the bill, click HERE).

This year has also seen an explosion of privacy-related litigation (the RockYou data breach litigation, Amazon privacy litigation, suits involving online tracking, cookies, history sniffing, etc.) as well as agency enforcement actions (Playdom, Google Buzz, Ceridian/Lookout, GunnAllen, etc.). The end results of agency enforcement and privacy-related lawsuits are bound to impact what the government and the public considered “acceptable” from a privacy point of view.

It can be difficult and time-consuming to navigate the legal and regulatory privacy environment, and companies are encouraged to seek the advice of experts to identify potential privacy legal risks. In many cases, to proactively address privacy concerns, it requires careful analysis and prognostication based on the bills, laws, lawsuits and regulatory actions that are in play. Oftentimes, after careful analysis, potential trends and commonalities can be gleaned that can help companies anticipate where the privacy legal environment is going. If the legal risks are identified early and companies keep up-to-date regarding their responsibilities, mechanisms can be built into products and services to allow for compliance with the current legal framework. For example, building in consumer opt-outs of data collection and honoring such requests, as well as encrypting any sensitive personal information collected, are proactive measures that may be used to provide companies with flexibility to adjust to changing legal requirements.

Step 4 – Integrate Privacy by Design.

It’s easier to tailor privacy and security protections to a company’s everyday business practices, products and services once the company has a comprehensive understanding of its business model. the market and legal compliance requirements. It is much easier for a startup company to undertake this exercise at the outset of its business planning and product/service development. As part of its privacy by design framework, the FTC urges companies to systematically consider four substantive privacy protections at all stages of the design and development of their products and services:

Data Collection. One key principle of privacy by design is that companies should automatically protect any consumer data handled by default. However a company chooses to handle consumer data, it may want to consider mechanisms that enable consumers to opt-out or opt-in of data collection practices (even if those mechanisms are not implemented from the outset). Doing so early will decrease the burden of regulatory compliance if offering opt-in or opt-out consent becomes mandatory. Another key principle of privacy by design encourages companies to handle data in a way that is visible and transparent to the consumer, and that allows companies to honor any representations they make to consumers about their business practices. The FTC has increasingly enforced this principle, settling privacy enforcement actions with Twitter and Chitika for deceptive business practices and with Ceridian and Lookout Services for unfair business practices for failing to safeguard personal employee information, among others. Companies are advised to implement data security protocols and privacy policies and to address the concerns of their consumers. Companies can avoid regulatory enforcement by understanding their commitments to protect consumer privacy, being transparent about their business practices, and adhering to their policies and procedures.

The FTC also emphasizes “minimization” – under this concept, the only consumer data that a company should collect is that which is needed to accomplish legitimate business goals. If a company has internal systems and networks, it should consider whether data is routinely saved by default if there is no legitimate business need to do so. By limiting the scope and amount of consumer data collected, companies reduce potential harms that can result in the event of a breach. The information companies need to collect wholly depends on their business model and the consumer data needed to make it work.

Security for Consumer Data. Many companies that conduct internal evaluations of their data practices will conclude that they maintain consumer data in one form or another. Companies that maintain consumer data can proactively employ physical, technical, and administrative safeguards to protect that information. As the FTC notes, the level of security required depends on the sensitivity of the data a company maintains, the size and nature of a company’s business operations, and the types of risks a company faces. A number of federal and state laws require companies to actively protect the data they maintain, and the FTC is increasingly bringing enforcement actions against companies for their failure to do so.

Maintaining adequate security for consumer data helps companies avoid potential lawsuits and FTC enforcement actions in the event of a breach, and mitigates other attendant consequences such as lost productivity and service interruptions. It also helps reduce the possibility that the enormous costs of responding to a breach will be incurred. Symantec Corporation and the Ponemon Institute estimate that the average organizational cost of a data breach in 2010 was $7.2 million and cost companies an average of $214 per compromised record.

To prevent security breaches, data loss, and other headaches, companies can proactively assess their baseline security measures. Again, a company’s thorough understanding of its business model is key in identifying potential protection gaps. Entrepreneurs and established market players alike would be wise to inventory their information assets, and understand where those assets are stored and how they’re accessed. Start-up companies can attempt to forecast their need for antivirus software, firewalls, virtual private networks (VPNs), and intrusion prevention mechanisms to protect their information assets in the face of internal and external risks. The FTC advises companies to use privacy-enhancing technologies such as identity management, data tagging tools, and Transport Layer Security/Secure Sockets Layer (“TLS/SSL”) or other encryption technologies, particularly if a company is handling sensitive consumer data. Start-ups may want to consider their plans for growth and assess whether their network security measures will be able to accommodate increased network traffic or advanced applications without disrupting service.

Data Accuracy. Privacy by design emphasizes that companies should strive to collect accurate consumer data, and that companies ought to implement mechanisms so that consumers can correct the information that companies collect about them, particularly when sensitive data is involved. Kerry and McCain’s "Commercial Privacy Bill of Rights" would require companies that collect data to provide individuals either the ability to access and correct their information, or to request cessation of its use and distribution. Regardless of whether such a requirement is codified, companies - particularly start-ups – may want to anticipate and plan for data correction procedures as well as any attendant costs.

Data Retention and Disposal. Companies can retain data for increasingly long periods of time due to the dramatically decreasing cost of data storage. A concern shared by the FTC and privacy advocates is that companies that retain data for long periods of time invent new, secondary uses for the data that consumers didn’t anticipate when they provided the data in the first place. To promote transparency and consumer notice, companies are encouraged to retain consumer data for only as long as they have a specific business need to do so. Companies are also encouraged to safely dispose of data no longer being used to further a specific business need. The "Do-Not-Track Online Act of 2011" would require online companies to destroy or anonymize personal information after it's no longer needed. We have already seen the concept of limited data retention becoming a regulatory principle in the European Union.

Conclusion

As consumers express an increased demand for privacy protections, entrepreneurs should ask themselves if their products and services provide consumers with notice and choice as to how their data is collected and handled, and tailor their business practices accordingly. Companies are wise to understand their business model and the market in order to tailor their products and services accordingly.

Consumer outcry has caused companies such as Google and Facebook to retroactively change their privacy practices – a process than can be costly with unnecessary attendant negative publicity. Anticipating and preventing privacy violations before they happen mitigates the risk such invasions will occur as well as the costs of remediation. This means having a thorough understanding of the privacy legal risk environment. Doing so is difficult as the environment is in upheaval, therefore companies would be wise to seek professional advice to navigate the legal and regulatory landscape at both the state and federal level.

A start-up company has the advantage of being able to develop and implement a privacy program early, and bake privacy into the design of their products and services, thereby ensuring that these substantive privacy protections become a foundational part of its business model. Employees can be trained early regarding the need for privacy and network security, which helps foster a consumer-protective enterprise culture. Privacy by design makes privacy an essential component of the core product or service a company delivers. Spotting privacy issues and addressing concerns before launch aligns products and services with consumer expectations and can save everyone – entrepreneurs and VCs alike – from future headaches.

Ceridian Allegations

The FTC alleged that the privacy and information security representations Ceridian disseminated thought the company’s website were false and misleading and, therefore, constituted unfair or deceptive acts or practices that violated Section 5(a) of the Federal Trade Commission Act. Specifically, the FTC alleged that Ceridian made the following representations regarding the privacy and confidentiality of the personal information the company collected:

Worry-free Safety & Reliability . . . When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.

With respect to its information security measures, the Ceridian stated:

Confidentiality and Privacy: [Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer].

The FTC alleged that these statements were false and misleading because Ceridian:

• Stored personal information in clear, readable text;
• Created unnecessary risks to personal information by storing it indefinitely on its network without a business need;
• Did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks;
• Did not implement readily available, free or low-cost defenses to such attacks; and
• Failed to employ reasonable measures to detect and prevent unauthorized access to personal information.

The FTC alleged that hackers exploited these vulnerabilities by launching an SQL injection attack on the company's website and web application. The hackers gained access to Ceridian's network and obtained customers' employee data (including bank account numbers, Social Security numbers, and dates of birth). The breach affected the personal information of at least 27,673 individuals.

Lookout Allegations

The FTC alleged similar privacy and security violations by Lookout.  Specifically, the FTC alleged that Lookout made the following representations regarding the security of employee data the company maintained:

Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.... Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated
software tools.

The FTC alleged that these representations were false and misleading and violated Section 5(a) of the FTC Act because Lookout:

• Failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess; for example, the company did not require its customers or employees to use complex passwords to access the product database;
• Failed to require periodic changes of user credentials for customers and employees with access to sensitive personal information;
• Failed to suspend user credentials after a certain number of unsuccessful login attempts;
• Did not adequately assess and address the vulnerability of the company's web application to widely-known security flaws, such as “predictable resource location,” which enables users to easily predict patterns and manipulate the uniform resource locators (“URLs”) to gain access to secure web pages;
• Allowed users to bypass the authentication procedures on Lookout’s website when
  they typed in a specific URL;
• Failed to employ sufficient measures to detect and prevent unauthorized access to
  computer networks, such as by employing an intrusion detection system and
  monitoring system logs; and
• Created an unnecessary risk to personal information by storing passwords used to
  access the product database in clear text.

The FTC alleged that these deficiencies enabled an employee of a Lookout customer to gain
access to the personal information of over 37,000 individuals (including names, addresses, dates of birth and Social Security numbers). The employee obtained a URL for a secure Lookout web page during a webinar for the company's I-9 compliance solution. She subsequently typed that URL into her browser and gained access to employee personal information without having to provide valid user credential. The employee also visited Lookout’s public-facing login web page for the company's product and successfully guessed and entered several different user IDs and passwords, including the user ID “test” and the password “test.” As a result, the employee was able to access the personal information of more than 11,000 individuals. Then, by making minimal and easy-to-guess changes to the URL, the employee gained access to the entire product database, which included the personal information of more than 37,000 individuals. The FTC alleged that because Lookout did not employ an intrusion detection system until October 2009, or adequately monitor system logs until December 2009, it was unknown if other unauthorized persons accessed the personal information in the company's database before that time.

Settlements

The settlement orders bar the misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers (including customers' employees). The FTC also requires the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years. 

The comprehensive security program must contain administrative, technical and physical safeguards appropriate to each company's size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees.

Specifically, the consent orders require each company to:

• Designate an employee or employees to coordinate and be accountable for the information security program;
• Identify material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
• Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Ceridian, and require service providers by contract to implement and maintain appropriate safeguards; and
• Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Lessons Learned

The FTC's enforcement actions against Ceridian and Lookout likely signal a two-fold expansion of the Commission's privacy and data security enforcement activities: to smaller-scale violations and violations affecting employee data. The two actions are not typical for the FTC for several reasons. First, the incidents affected a relatively small number of individuals (with no hard evidence of malicious hacking at Lookout).  In addition, the enforcement actions focused on the personal information of employees rather than consumers. While consumers are the focus of an overwhelming majority of the FTC's privacy and information security enforcement, the FTC has long viewed its Section 5 jurisdiction broadly.  As early as 2000, the FTC took the position that it "has the same jurisdiction in the employment-related data situation as it would generally under Section 5 of the FTC Act … [A]ssuming a case met our existing criteria (unfairness or deception) for a privacy-related enforcement action, we could take action in the employment-related data situation." With Ceridian and Lookout settlements, the FTC seems to want to dispel the notion that it is focused solely on large scale, high profile privacy and information security violations affecting consumers. This is another reason to take a hard look at your company's privacy and information security compliance.

Entities Covered by the Act. The Act defines “covered entities” as any person that collects, uses, transfers or maintains covered information concerning more than 5,000 individuals during any consecutive 12-month period and is subject to FTC jurisdiction, as well as telecommunication common carriers and non-profit organizations.

Information Protected Under the Act. The various provisions of the Act address “covered information” which includes personally identifiable information (“PII”), unique identifier information (“UII”), and any information that is collected, used, or maintained in connection with PII or UII that may be used to identify an individual. Some provisions require businesses to comply with specific obligations when dealing with “sensitive” PII, which is defined as PII which, if lost, compromised, or disclosed without authorization could “result in harm to an individual.”

Some information is always considered PII of the individual to whom it pertains, including:

• First name (or initial) and last name;
• Residential address;
• E-mail address if it contains the individual’s name (the draft brackets indicate it is currently undecided whether that means the individual’s full name, legal name, maiden name, nickname, initials, or names embedded with other letters or characters such as Danny123@xyz.com);
• Telephone or mobile device numbers other than those considered work contact numbers;
• Social security numbers and other government-issued identification numbers
• Credit card numbers;
• Unique persistent identifiers (including cookies, user IDs, processor serial numbers, or device serial numbers) if used to identify a specific individual; and
• Biometric data, including fingerprints and retina scans.

If used, transferred, or maintained in connection with one or more pieces of PII listed above, the following information is also considered PII:

• Birth date, birth or adoption certificate number, or place of birth;
• Unique persistent identifiers (not limited to those used to identify a specific individual);
• Precise geographic location; and
• Any other information concerning an individual that may “reasonably be used to identify that individual.”

UII includes unique persistent identifiers other than those qualifying as PII, including “a customer number held in a cookie, user ID, processor serial number, or device serial number.”

Data Collection, Integrity and Retention Constraints. Covered entities may collect only as much covered information about an individual as is reasonably necessary to improve their services through research and development, provide services requested by or consented to by the individual, or to prevent fraud. Covered entities are required to establish procedures to ensure that the PII they maintain is accurate. The Act restricts the retention of covered information to a period only as long as necessary to provide a service or for a reasonable period of time if the service is ongoing.

Right to Notice. Covered entities must provide readily accessible notice regarding the collection and use of covered information as well notify individuals of any changes to the entity’s collection and use practices. The FTC will establish rules requiring a covered entity to provide individuals with a mechanism for opt-in consent for:

• The collection, use, or transfer of an individual’s sensitive PII other than to process transactions or services requested by the individual, for fraud prevention and detection, or to provide for a secure environment;
• The use or transfer of previously collected PII if there is a material change in the entity’s practices requiring notice to the individual; and
• The transfer of PII, UII, and other covered information to third parties for an unauthorized use or public display.

The FTC’s rules will also require covered entities to offer individuals a mechanism for opt-out consent for any unauthorized use of their PII.

Right to Access. Covered entities are required to provide individuals reasonable access to their PII. If an individual terminates a service or relationship with the covered entity or if the entity enters bankruptcy, individuals are given the right to demand that PII be rendered not personally identifiable or if that is not possible, to cease its collection, use, transfer or maintenance.

Constraints on Transfers to and Use by Third Parties. The Act prohibits third parties from unauthorized use of PII for which opt-in consent is required, unless the individual is notified of and consents to the use. A “third party” is a person that is not related to the covered entity by common ownership or control nor contractually required to comply with the covered entity’s privacy policies, privacy controls, and any applicable confidentiality agreement.

A covered entity is required to provide notice to individuals if the entity intends to transfer covered information to third parties. If a third party receives covered information from a covered entity, the third party is treated as a covered entity under the Act unless the FTC decides otherwise. When a transfer occurs, the covered entity and third party must enter into a contract ensuring that "the third party will not combine information that is not personally identifiable ... with other information in order to identify individuals with that information." The concept of transfer is not limited to situations where active steps are undertaken by a covered entity – it includes the collection of the information by a third party through a covered entity’s website, mobile application, or other consumer interface. Transfers to "unreliable third parties" are prohibited.

Unauthorized Use. The term ‘‘unauthorized use’’ means the use of covered information for any purpose not authorized by the individual to whom the information pertains, other than use:

• To process a transaction or service requested by that individual;
• To operate the covered entity that is providing a transaction or service requested by that individual, such as inventory management, accounting, planning, product or service improvement or forecasting;
• To prevent or detect fraud or to provide for a secure environment;
• To investigate a possible crime or that is required by law or legal process;
• To market or advertise to an individual from a covered entity if the personally identifiable information used for such marketing or advertising was collected directly by the covered entity;
• Necessary for the improvement of the transaction or service through research and development; or
• Necessary for internal operations, including collecting customer satisfaction surveys to improve customer service information as well as collection of website visit and click-through rates to improve site navigation.

Enforcement and Penalties. The FTC is granted enforcement authority and state attorneys general are given civil action authority to enforce the Act. The Act does not provide for a private right of action, which is likely to raise opposition from privacy advocates. Monetary penalties for violating the Act are stiff - a covered entity that knowingly or repeatedly violates the Act is liable for a civil penalty of $16,500 multiplied by the number of days of noncompliance. If a covered entity violates the Act and fails to obtain proper consent when required, the penalty is $16,500 multiplied by the number of days of noncompliance or the number of individuals whose consent was not obtained, whichever is greater. However, liability is capped at $2 or $3 million depending on the nature of the violation.

Effect on Other Laws. State laws are preempted by the Act, except those laws dealing with health or financial information or data breach notification.

Safe Harbor Programs. The Act requires the FTC to create requirements for “safe harbor programs.” The programs, administered by non-governmental organizations, will be designed to enable participants to implement the requirements of the Act, implement "comprehensive information privacy programs," and offer consumers a means to opt out if a participant transfers covered information to a third party for an unauthorized use. A covered entity that participates in such a program is exempt from the major provisions of the Act if, according to the FTC’s determination, the program obligates participants to comply with requirements that are substantially the same as, or more protective of privacy than, the provisions of the Act. The programs are to be supervised and enforced (with penalties) by the FTC.

With the exception of the FTC’s enforcement actions cracking down on unfair and deceptive practices, the government has favored industry self-regulation over privacy legislation. Between the new draft of the "Commercial Privacy Bill of Rights Act of 2011," three separate privacy bills pending in the House, and the Obama administration backing a “consumer privacy bill of rights,” it looks like change is in the air (and I’m not just saying that to be clever).

If this doesn’t surprise you, consider the relatively hostile regulatory and legal environment that Internet tracking companies currently face. The Wall Street Journal's year-long What They Know investigation into online tracking has exposed a fast-growing network of hundreds of companies that collect highly personal details about Internet users. The FTC called for a "do-not-track" system in December. Several privacy bills affecting the collection and use of personal data were introduced in the House already this year. Privacy lawsuits against online behavioral tracking companies abound. 

A number of the FTC’s recent privacy-related enforcement actions give businesses a reason to be increasingly wary of Internet tracking practices. For example, in 2009 the FTC filed a complaint against Sears because the company failed to adequately disclose to consumers the scope of the data Sears collected using tracking software. Additionally, some heavy-hitters in the Internet market are calling for stronger consumer privacy protections given the spotlight on Internet privacy concerns. Mozilla added a do-not-track tool to an upcoming version of its Firefox Web browser. Microsoft recently followed suit - its upcoming Web browser, Internet Explorer 9, will also include an anti-tracking tool that will let users create their own custom lists of companies to block from tracking them. For companies implementing anti-tracking mechanisms, consumer backlash against online tracking appears to trump the concerns voiced by Internet advertisers and tracking companies that such tools will negatively impact their businesses.

In some ways, the VC market has been quite reactive to the changing privacy landscape. The surging demand for online privacy protections spells market opportunity. Numerous start-ups offering privacy protection products and services have emerged in response growing concerns regarding the collection and use of personal data, and consumers seem receptive. For example, within two weeks after software engineer Brian Kennish launched “Facebook Disconnect” – free software that prevented Facebook widgets from inadvertently transmitting users’ personal data - 50,000 people had installed it. Given his initial success, Mr. Kennish launched a new piece of software - “Disconnect” - which blocks a wider array of widgets on Facebook, Twitter and Digg, and prevents search engines from providing personalized search results based on tracking user behavior. Mr. Kennish’s success didn’t go unnoticed in the investment world – he has received three acquisition offers and four unsolicited investment offers. Last June, SafetyWeb received $8 million in VC financing. TRUSTe got $12 million. ReputationDefender raised $15 million even though the company wasn’t actively looking for new cash. The jump in privacy-related investments underscores how online privacy protection is increasingly viewed as a real business, attracting prominent investors such as Bessemer Venture Partners, Accel Partners, Kleiner Perkins Caufield & Byers.

While some VCs are moving to Privacyville, VC investment in Internet tracking isn’t slowing down. VCs as a group have invested $4.7 billion in 356 online-ad firms since 2007 and continue to pour money into Internet tracking companies. To be sure, these VCs aren’t ignoring privacy litigation and potential regulation when making investment decisions – companies endorsing tracking techniques with greater privacy implications may be considered less attractive to fund. For example, First Round Capital, which ranks among the VC firms most heavily invested in Internet tracking, has declined investments in companies that marry online data with offline databases to develop richer portraits of Internet users.

The FTC recently encouraged companies to take a "privacy by design" approach, integrating consumer privacy protections into their regular business operations and at every stage of product development. A company that addresses privacy issues during business development, rather than after, will be in a better position to secure VC funding. It may be too difficult for a company to reverse course in order to address privacy concerns that were overlooked during the development of its products or services. This could lead to an insurmountable hurdle in the road toward funding if VCs perceive the privacy concerns as too great a risk.

As a result, companies – particularly those in the field of Internet advertising and tracking - should conduct thorough privacy due diligence. The same goes for VCs looking to add these companies to their portfolios. VCs that fail to evaluate the current and future privacy landscape while conducting due diligence may unsuspectingly invest in superficially attractive but ultimately non-viable ventures. Companies and VCs alike should have intimate knowledge of the privacy concerns raised by consumers and businesses, understand the implications of privacy laws and pending legislation, and be aware of privacy-related enforcement actions and litigation.

The near-collapse of the global financial system in late 2008 demonstrated how capital markets can place too much faith in technology stocks and reinforce an unhealthy obsession with short-term financial performance. The comparatively small number of companies that have been able to innovate repeatedly over long periods of time tend to have strong relationships with their customers. The more our lives are lived online, the greater the privacy implications of online tracking become. Internet tracking companies that fail to tailor their products and services to address growing privacy concerns may be unable to sustain relationships with consumers that will prove necessary for their survival. If long-term innovation is the goal, perhaps VCs will become more reactive to the tumultuous privacy landscape when making investment decisions. It’s quite possible that greater VC reactivity will mean increased investment hesitancy.  To disprove hesitancy, companies are well-advised to seek guidance while developing their business plans to adequately anticipate and address growing privacy concerns.

The legislation limits the definition of "creditor" under the FCRA to entities that:

1. obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
2. furnish information to consumer reporting agencies (see 15 U.S.C. 1681s-2) in connection with a credit transaction; or
3. advance funds to or on behalf of a person (based on the person's obligation to repay the funds or repayable from property pledged by or on behalf of the person).

More importantly, the amendment specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion means that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.

The FTC will begin enforcing the Red Flags Rule on December 31, 2010. By this deadline, financial institutions and creditors subject to the FTC's jurisdiction must have an identity prevention program in place to the extent they are required to do so by the Rule. 

The Report’s “proposed new framework for consumer privacy” is designed to reflect and balance (i) the realities of new online practices and business models, (ii) while comporting with existing FTC and applicable federal and state law, (iii) encouraging new products and services to meet consumers’ needs and wants, and (iv) finally to provide “common assumptions and bedrock protections” that consumers and businesses alike can rely upon and plan around.

 To these ends, the Report's proposed framework contains three major elements:

• Integration of privacy by companies into “regular business operations and at every stage of product development” with a goal of reducing consumer burdens in choosing from among “privacy protective data practices;” and
• Streamlining privacy options for consumers, while “preserving beneficial uses of data” by agreeing upon “commonly accepted practices” and providing “clear and prominently disclosed choices for all other data practices;” and a
• Increased transparency of data practices by both consumer-facing and backend online businesses.

 The Report makes clear that the framework is not cut from whole cloth, but built “upon the FTC’s notice-and-choice and harm-based privacy models while also addressing some of their limitations,” and calls upon, what the FTC dubs four “basic building blocks” of the framework, detailed in brief here and in further detail below, including:

• Universal scope, where the proposed framework would, in a departure from existing applicable state data privacy regimes, apply to any and all commercial entities that “collect or use consumer data that can be reasonably linked to a specified consumer, computer, or other device.”
• Privacy by Design, where, as noted above, the FTC recommends privacy be baked into the mix from the get go in any product or services development, along with maintenance of “comprehensive data management procedures throughout the life cycle” of the products and services.
• Simplifying consumer choice as to the collection and use of data by providing “commonly accepted practices” and appropriate choices at other applicable times and contexts designed to simplify consumer decision making.
• Greater transparency by companies of their existing data practices, with “clearer, shorter and more standardized” privacy notices, to achieve a goal of enhancing understanding and comparison between companies, along with concomitant “reasonable access” by consumers to the data companies hold about them.

Once the framework is finalized, the FTC has stated its staff may conduct surveys and conduct “other benchmarks” to evaluate industry implementation and use its existing authority under Section 5 of the FTC Act, 15 U.S.C. § 45, and other applicable statutes in investigative and enforcement actions.

 "Building Blocks" in Detail

1. Universal Scope

The Report notes that the newly proposed framework’s scope contains two main points, namely, that: (a) the framework “would apply to all commercial entities that collect consumer data in both offline and online contexts, regardless of whether such entities interact directly with consumers” and (b) the proposed framework applies to data “that can be reasonably linked to a specific consumer, computer, or other device” and not just traditional personally identifiable information (“PII”).

The rationale underlying the FTC’s proposed universal scope is that consumers are significantly unaware of the breadth and depth of data and sharing thereafter, and that the traditional break between PII and non-PII info has lost significance because of technology advancements and the scope of data aggregation that could allow “to re-identify consumers from supposedly anonymous data.”

The Department of Health and Human Services (HHS) earlier this year proposed expanding the reach of the Health Insurance Portability and Accountability Act of 1996's (HIPAA) Security, Privacy and Enforcement Rules, pursuant to the HITECH Act, to require  “business associates” secure Protected Health Information (PHI) of covered entities (see InfolawGroup's earlier posts detailing the proposed modifications to the various HIPAA Rules, Part One and Part Two), the FTC’s newly proposed framework approaches privacy from the angle of whether any “consumer data” can be tied back to a specified individual, computer or "other device," rather than adopting a straight definition of what qualifies as date that garners protection or on the form and format of the date.

To date many states breach and privacy statutes have typically focused, as a threshold matter, on whether applicable data contains "personally indentifiable information" (PII), as defined under the applicable rubric.  Similarly under HIPAA whether data qualifies as PHI requires consulting a list of eighteen identifiers. The framework's contrasting universal scope is actually fairfly consistent with the FTC’s previous Health Breach Notification Rule, 16 C.F.R. § 318 (2009), (HBNR), issued pursuant to the American Recovery and Reinvestment Act of 2009, which requires “vendors of personal health records and related entities to notify consumers when the security of their individually identifiable health information has been breached.” However, to avoid conflicts with HIPAA's separate framework the FTC's HBNR expressly provides, with caveats, that “the rule ‘does not apply to HIPAA-covered entities, or to any other entity to the extent that it engages in activities as a business associate of a HIPAA-covered entity.'’’

This universal scope has, as the FTC acknowledges, raised numerous material questions, which the FTC seeks comment on over the next nearly two months (e.g., what are the practical considerations that weigh in favor of excluding certain entities; is it feasible to cover all data that can be “reasonably linked to a specific consumer, computer, or other device,” and should the framework be applicable to data that, “while not currently considered ‘linkable,’ may become so in the future"? Etc.). The FTC also seeks feedback as to whether any existing technical means may “more effectively ‘anonymize’ data, and whether industry norms are emerging in this area” which dovetails with the point made during FTC's presentation of the Report that any laws and rules enacted can only go so far in the privacy area without a steady applicable of technology.

2. Privacy by Design

The new framework proposes that privacy be considered and incorporated throughout organizations at each stage of the design and development of products and services that may interact with consumer data, rather than as is more common, being bolted on as an afterthought. As part of the framework, the FTC proposes limited data collection, a baseline of “reasonable security for consumer data” (see InfoLaw Group partner, David Navetta's article, The Legal Defensibility Era), and, as possible methods to ensuring privacy by design, additional employee training, regular privacy reviews, and assigning specific individual to oversee privacy issues (which is interestingly a requirement in many FTC breach related enforcement action settlements - e.g., Eli Lilly settlement with FTC regarding security breach, here).

The rationale for adoption of this building block is that it would place the onus of providing privacy and security on those companies working with the consumer data rather than forcing consumers to “read long notices to determine whether basic privacy protections are offered.”

In providing privacy by design into practices, the FTC framework highlights four critically important protections:

• Reasonable Safeguards – which are dependent on the sensitivity of the data at issue, the size and nature of the business operation and the type of risks faced, and should include physical, technical, and administrative efforts. The Report does note that various federal and state laws, including various existing FTC standards, already require such efforts (providing as example, the Disposal of Consumer Report Information and Records, 16 C.F.R. § 682 (2005); FTC Standards for Safeguarding Customer Information Rule, 16 C.F.R. § 314 (2002); HIPAA Security Standards for the Protection of Electronic Personal Health Information, 45 C.F.R. §§ 160, 162, 164 (2003); Mass. Gen. Laws ch. 93H, § 2(2007); and Cal. Civil Code § 1798.81.5 (2010)). 
• Limited data collection – whereby a company should collect only the “the information needed to fulfill a specific, legitimate business need.” The reasoning in support of this protection is that doing so is “important in light of companies’ increased ability to collect, aggregate, and match consumer data and to develop new ways of profiting from it.”
• Reasonable data retention periods – the yin to the yang of limiting data collected is retaining such data “only as long as [entities] [] have a specific and legitimate business need to do so.” The Report notes that the massive drop in data storage costs have enabled and indeed encouraged companies to retain all data in near perpetuity, leading to the companies seeking to mine such data by developing future secondary uses for it that neither the consumer nor the company envisioned at the time of collection. The FTC here further stresses that secure disposal is a must (e.g., FTC cases against DSW Shoe Warehouse, BJ’s Wholesale Club and Card Systems).
• Accurate data collection – the last point in the FTC’s four point schema is an insistence that companies take reasonable steps to ensure the accuracy of the data collected, “particularly if such data could be used to deny consumers benefits or cause significant harm.”

In connection with these four protections the FTC seeks comment and feedback on other substantive protections that should possibly be provided and "how to balance the costs and benefits of such protections."  Other express areas the FTC seeks comment on is: "whether the concept of 'specific business purpose' or 'need' should be defined further, and if so, how?"; prescription of setting reasonable retention periods based upon "the type or the sensitivity of the data at issue"; and application of the protections to legacy systems.

In Part 2, I'll look at the remaining two building blocks and the Report's focus on potential Do Not Track solutions.

• Implementation of privacy by design; building privacy choices and technology into products and services as they are developed

• Transparency of privacy practices and consumer privacy notices; providing short, precise notices at the data collection point

• Simplification of consumer choices; making the choices meaningful

• Simplification of consumer choices through a one stop shop for opting out of marketing or tracking (the FTC distinguishes between tracking and targeting); Mr. Vladeck believes there are technological means to implement this option, but the FTC does not have the authority to mandate such a system without Congressional action

• Respect for consumers' choices; the FTC will not tolerate use of technological means to circumvent consumer choice

• Encouraging competition on privacy by enabling consumers to compare privacy practices of competing websites

• Strong protection for sensitive data, such as children's information, geo-location data and other information

• Giving consumers access to their data; access is an important ingredient in privacy accountability

• Focus on consumer and business education about privacy

Mr. Vladeck encouraged privacy stakeholders to answer questions that the FTC’s report will pose and provide other comments. The deadline for comments will be January 31, 2011.

Check back with us later today for a detailed analysis of the FTC’s report.

The FTC's Red Flags Rule implements Section 114 of the FCRA.  The Rule requires certain creditors and financial institutions subject to the FTC's jurisdiction to develop and implement a written identity theft prevention program designed to detect, prevent and mitigate fraud attempted or committed through identity theft.

The cause of the multiple enforcement delays is the Rule's definition of "creditor" and the FTC's broad interpretation of the term. Specifically, the FTC has taken the position that, in addition to entities that lend money or participate in credit decisions, a "creditor" subject to the Rule includes any entity that sells goods or services and allows customers to pay for the goods or services later. The FTC's broad interpretation of the term "creditor" has thus turned any business that employs invoice billing into a creditor subject to the Rule.

The proposed bill seeks to largely limit the applicability of the Red Flags Rule to entities commonly understood to be creditors. Pursuant to the bill, "creditors" would be defined as entities that:

1. obtain or use consumer reports, directly or indirectly, in connection with a credit transaction;
2. furnish information to consumer reporting agencies (see 15 U.S.C. 1681s-2) in connection with a credit transaction; or
3. advance funds to or on behalf of a person (based on the person's obligation to repay the funds or repayable from property pledged by or on behalf of the person).

More importantly, the proposed bill specifically excludes from the definition of "creditor" entities that advance funds "to or on behalf of a person for expenses incidental to a service provided by the creditor to that person." This exclusion suggests that entities that both provide a product or service and allow customers to pay for the product or service at a later time would not be subject to the Red Flags Rule, provided such entities do not engage in the activities enumerated in bullets (1) or (2) above.

The BLT is reporting that the appellate panel struggled with the Red Flags Rule's terms in trying to determine whether the FTC's interpretation of the Rule exceeded the agency's authority in regulating attorneys. The issues in the case are both whether and in which circumstances the federal government can regulate attorneys, and the propriety of the FTC's interpretation of FACTA and the Red Flags Rule as applying to at least some attorneys who receive payment only after providing services to a client. 

The ABA and the FTC have clearly articulated their positions on the issue. According to the BLT, FTC attorney Michael Bergman argued that "lawyers are no different — though they might think they are — from other service providers,” and "judge Thomas Griffith echoed that argument... discounting the ABA’s argument that Congress must be explicit when it intends to regulate the legal profession because the industry is the longtime province of states." The ABA Journal is quoting ABA's President Stephen N. Zack, who observed that "the mission of every lawyer is to provide aid and counsel to our clients and improve access to the justice system — not to push paperwork that attempts to solve what is, for the legal profession, a non-existent problem and promises to raise legal costs."

Who is Covered

The proposed legislation would apply to persons and entities over which the FTC has authority AND non-profits.

Definition of Personal Information

Interestingly, the proposed definition of personal information looks like the traditional definition used in this country and not the more expansive definitions proposed in the Boucher Bill and BEST PRACTICES ACT. The bill defines personal information as "an individual's first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number. (ii) Driver's license number, passport number, military identification number, or other similar number issued on a government document used to verify identity. (iii) Financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual's financial account."

However, the bill would allow the FTC to modify this definition by rulemaking (a) for purposes of the information security program and information broker provisions to the extent that the modification would not unreasonably impede interstate commerce and would accomplish the purposes of this Act; or (b) for purposes of the breach notification requirements to the extent that the modification is necessary to accommodate changes in technology or practices, would not unreasonably impede interstate commerce, and would accomplish the purposes of this Act.

Preemption

S. 3472 would preempt any state law that expressly (1) requires information security practices and treatment of data containing personal information similar to any of those required by the bill; and (2) requires notification to individuals of a breach of security resulting in unauthorized access to or acquisition of data in electronic form containing personal information.  The Act also makes clear that no person other than State Attorneys General may bring a civil action under the laws of any State if such action is premised in whole or in part upon the defendant violating any provision of the Act.

Information Security Policies, Procedures and Programs

Like several of the other proposed federal bills, S. 3742 would require the FTC to promulgate regulations to require every covered entity that owns or possesses data containing personal information, or contracts to have any third party entity maintain such data for such covered entity, to establish and implement policies and procedures regarding information security practices for the treatment and protection of personal information.  Reminiscent of some existing state and sectoral privacy and data security laws, this bill would require that such policies and procedures take into consideration (a) the size of, and the nature, scope, and complexity of the activities engaged in by the covered entity; (b) the current state of the art in administrative, technical, and physical safeguards for protecting such information; and (c) the cost of implementing such safeguards. 

Such policies and procedures would include (a) a security policy with respect to the collection, use, sale, other dissemination, and maintenance of personal information; (b) the identification of an officer or other individual as the point of contact with responsibility for the management of information security; (c) a process for identifying and assessing any reasonably foreseeable vulnerabilities in the system or systems maintained by the covered entity, including regular monitoring for a breach of security; (d) a process for taking preventive and corrective action to mitigate against any vulnerabilities identified in the process, which might include implementing any changes to security practices and the architecture, installation, or implementation of network or operating software; (e) a process for disposing of data in electronic form containing personal information by shredding, permanently erasing, or otherwise modifying the personal information contained in such data to make such personal information permanently unreadable or indecipherable; and (f) a standard method or methods for the destruction of paper documents and other non-electronic data containing personal information.

All of this sounds very similar to the Gramm-Leach-Bliley Act and Massachusetts' data security regulations, 201 CMR 17.00 et seq. (which took effect in March of this year) and therefore should not come as a surprise to most national or multinational organizations.

Special Requirements for Information Brokers

Not unlike the Leahy bill, S. 1490, S. 3472 includes a number of provisions that impose additional burdens and requirements on the collection, use, and disclosure of information by "information brokers."  These requirements include accuracy, access, and dispute requirements similar to the Fair Credit Reporting Act's (FCRA) requirements for consumer reporting agencies.  Indeed, the bill explicitly provides that information brokers engaged in activities subject to FCRA and who are in compliance with sections 609, 610, and 611 of FCRA shall be deemed to be in compliance with certain of the bill's information broker provisions.

So the first question is - well, who is an "information broker"?  An "information broker" under the bill:

(A) means a commercial entity whose business is to collect, assemble, or maintain personal information concerning individuals who are not current or former customers of such entity in order to sell such information or provide access to such information to any nonaffiliated third party in exchange for consideration, whether such collection, assembly, or maintenance of personal information is performed by the information broker directly, or by contract or subcontract with any other entity; and

(B) does not include a commercial entity to the extent that such entity processes information collected by or on behalf of and received from or on behalf of a nonaffiliated third party concerning individuals who are current or former customers or employees of such third party to enable such third party directly or through parties acting on its behalf to: (1) provide benefits for its employees; or (2) directly transact business with its customers.

The bill explicitly exempts from its information broker provisions "a service provider for any electronic communication by a third party to the extent that the service provider is exclusively engaged in the transmission, routing, or temporary, intermediate, or transient storage of that communication."

Information brokers would be required to submit their security policies to the FTC in conjunction with a notification of a breach of security or upon request of the Commission.  Further, for any information broker required to provide notification of a security breach, the proposed legislation gives the FTC authority to conduct audits of the information security practices of such information broker, or require the information broker to conduct independent audits of such practices (by an independent auditor who has not audited such information broker's security practices during the preceding 5 years).

In addition, information brokers would be required, with certain limited exceptions, to establish reasonable procedures to assure the maximum possible accuracy of the information they collect, assemble, or maintain regarding individuals other than information which merely identifies an individual's name or address. 

The bill also would require information brokers to provide to each individual whose personal information they maintain, at the individual's request at least one time per year and at no cost to the individual, and after verifying the identity of such individual, a means for the individual to review their information, and to place a conspicuous notice on their websites instructing individuals how to request access to such information and, as applicable, how to express a preference with respect to the use of personal information for marketing purposes.  (This refers to another portion of the bill that requires an information broker that maintains any information which is used, shared, or sold by such information broker for marketing purposes to, in lieu of complying with the normal access and dispute requirements, provide each individual whose information it maintains with a reasonable means of expressing a preference not to have his or her information used for such purposes. If the individual expresses such a preference, the information broker may not use, share, or sell the individual's information for marketing purposes.)

Whenever an individual whose information the information broker maintains makes a written request disputing the accuracy of any such information, the information broker, after verifying the identity of the individual making such request and unless there are reasonable grounds to believe such request is frivolous or irrelevant, would be required to correct any inaccuracy.  There are exceptions to the access and dispute requirements in certain limited circumstances.

Information brokers would also be required to establish measures which facilitate the auditing or retracing of any internal or external access to, or transmission of, any data containing personal information that they collect, assemble, or maintain.

The bill includes anti-pretexting provisions that would make it unlawful for an information broker to obtain or attempt to obtain, or cause to be disclosed or attempt to cause to be disclosed to any person, personal information or any other information relating to any person by (i) making a false, fictitious, or fraudulent statement or representation to any person; or (ii) providing any document or other information to any person that the information broker knows or should know to be forged, counterfeit, lost, stolen, or fraudulently obtained, or to contain a false, fictitious, or fraudulent statement or representation.

Breach Notification Requirements

The breach notification provisions of S. 3742 would require that any covered entity that owns or possesses data in electronic form containing personal information, not later than 60 days following the discovery of a breach of security of the system maintained by such covered entity that contains such data, (1) notify each individual who is a citizen or resident of the United States whose personal information was acquired or accessed as a result of such a breach of security; and (2) notify the FTC.  The bill requires that a covered entity notify the major national credit reporting agencies of the timing and distribution of the notices if the covered entity must provide notification to more than 5,000 individuals.  Such notice must be provided prior to distribution of the notices to affected individuals if it will not delay notice to those individuals.

Before discussing in detail the breach notification requirements, it is important to note a major exemption and presumption built into the bill.  There is a risk of harm threshold in this bill.  A covered entity is exempt from the requirements if, following a breach of security, such covered entity determines that there is "no reasonable risk of identity theft, fraud, or other unlawful conduct."  Significantly, and reminiscent of the breach notification provisions in the HITECH Act, if the data in electronic form containing personal information is rendered unusable, unreadable, or indecipherable through a security technology or methodology (if the technology or methodology is generally accepted by experts in the information security field), there would be a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. Any such presumption may be rebutted by facts demonstrating that the security technologies or methodologies in a specific case, have been or are reasonably likely to be compromised. 

It is clear that encryption is only one such technology or methodology anticipated by the bill.  The bill directs that, not later than one year after the date of the enactment and biannually thereafter, the Commission, after consultation with the National Institute of Standards and Technology (NIST), relevant industries, consumer organizations, and data security and identity theft prevention experts and established standards setting bodies, issue rules or guidance to identify security methodologies or technologies, such as encryption, which render data in electronic form unusable, unreadable, or indecipherable, that shall, if applied to such data, establish a presumption that no reasonable risk of identity theft, fraud, or other unlawful conduct exists following a breach of security of such data. 

The law would require provision of two years of credit monitoring services.  A covered entity required to provide notification must, upon request of an individual whose personal information was included in the breach of security, provide or arrange for the provision of, to each such individual and at no cost to such individual (A) consumer credit reports from at least one of the major credit reporting agencies beginning not later than 60 days following the individual's request and continuing on a quarterly basis for a period of 2 years thereafter; or (B) a credit monitoring or other service that enables consumers to detect the misuse of their personal information, beginning not later than 60 days following the individual's request and continuing for a period of 2 years.  (There is an exception if the only personal information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code.)  As part of the FTC's obligation to promulgate regulations on breach notification, the FTC must "establish a simple process under which a covered entity that is a small business or small non-profit organization may request a partial waiver or a modified or alternative means of responding if providing or arranging for such reports, monitoring, or service is not feasible due to excessive costs relative to the resources of the small business or small non-profit entity and the level of harm to consumers caused by the data breach."

The notification to individuals must include:

(i) the date, estimated date, or estimated date range of the breach of security;

(ii) a description of the personal information that was acquired or accessed by an unauthorized person;

(iii) a telephone number that the individual may use, at no cost to such individual, to contact the covered entity to inquire about the breach of security or the information the covered entity maintained about that individual;

(iv) notice that the individual is entitled to receive, at no cost to such individual, consumer credit reports on a quarterly basis for a period of 2 years, or credit monitoring or other service that enables consumers to detect the misuse of their personal information for a period of 2 years, and instructions to the individual on requesting such reports or service from the covered entity, except when the only information which has been the subject of the security breach is the individual's first name or initial and last name, or address, or phone number, in combination with a credit or debit card number, and any required security code;

(v) the toll-free contact telephone numbers and addresses for the major credit reporting agencies; and

(vi) a toll-free telephone number and Internet website address for the Commission whereby the individual may obtain information regarding identity theft.

In the event of a breach of security of the system maintained by any third party entity contracted to maintain or process data in electronic form containing personal information on behalf of any other covered entity who owns or possesses such data, such third party entity would be required to notify the covered entity of the breach of security.

Interestingly, the bill includes special provisions for "service providers," defined as covered entities "that provide[] electronic data transmission, routing, intermediate and transient storage, or connections to [their] system or network, where the covered entit[ies] providing such services do[] not select or modify the content of the electronic data, [are] not the sender or the intended recipient of the data, and such covered entit[ies] transmit[], route[], store[], or provide[] connections for personal information in a manner that personal information is undifferentiated from other types of data that such covered entity transmits, routes, stores, or provides connections."  For breach notification purposes, the bill provides that, if a service provider becomes aware of a breach of security of data in electronic form containing personal information that is owned or possessed by another covered entity that connects to or uses a system or network provided by the service provider for the purpose of transmitting, routing, or providing intermediate or transient storage of such data, the service provider is required to notify only the covered entity who initiated such connection, transmission, routing, or storage if such covered entity can be reasonably identified.

Notification of individuals may be delayed if a covered entity can show that providing notice within 60 days of discovery is not feasible due to circumstances necessary to accurately identify affected consumers, or to prevent further breach or unauthorized disclosures, and reasonably restore the integrity of the data system, in which case the notification must be made as promptly as possible.  As in most federal proposed bills and many existing state breach notification laws, if a law enforcement agency determines that the notification would impede a civil or criminal investigation, notification must be delayed upon the written request of the law enforcement agency (in this case for 30 days or such lesser period of time which the law enforcement agency determines is reasonably necessary and requests in writing). A law enforcement agency may, by a subsequent written request, revoke such delay or extend the period of time set forth in the original request if further delay is necessary.  Similarly, if a Federal national security agency or homeland security agency determines that the notification would threaten national or homeland security, notification may be delayed for a period of time which the national security agency or homeland security agency determines is reasonably necessary and requests in writing. The agency may revoke such delay or extend the period of time set forth in the original request by a subsequent written request if further delay is necessary.

Notification must be provided in writing by mail (or email under certain circumstances).  Substitute notification is allowed if the covered entity owns or possesses data in electronic form containing personal information of fewer than 1,000 individuals and such direct notification is not feasible due to (i) excessive cost to the covered entity required to provide such notification relative to the resources of such covered entity, as determined in accordance with the regulations issued by the FTC or lack of sufficient contact information for the individual required to be notified.  Like California's SB 1386 (Civil Code section 1798.82), such substitute notification must include (i) e-mail notification to the extent that the covered entity has e-mail addresses of individuals to whom it is required to provide notification; (ii) a conspicuous notice on the website of the covered entity; and (iii) notification in print and to broadcast media, including major media in metropolitan and rural areas where the individuals whose personal information was acquired reside.

The bill requires the FTC to promulgate regulations regarding breach notification AND to provide and publish general guidance on compliance, including (i) a description of written or e-mail notification that complies with the requirements; and (ii) guidance on the content of substitute notification.

The bill grants the FTC authority to place any breach notifications it receives in a clear and conspicuous location on its website if the Commission finds that doing so would be in the public interest or for the protection of consumers.

Enforcement

The FTC and State Attorneys General may enforce the bill.

(a) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;

(b) failed to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;

(c) failed to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;

(d) failed to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and

(e) failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks.

The card issuing banks have claimed several hundred thousand dollars in fraudulent charges.

Not surprisingly, the FTC alleged these failures to implement "reasonable security" constituted an unfair act or practice in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).

Like many other similar FTC settlements, this one requires that Dave & Buster's establish and maintain a comprehensive information security program and obtain independent audits by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, for (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order. 

Dave & Buster's' comprehensive information security program must include the following, and more:

A. the designation of an employee or employees to coordinate and be accountable for the information security program;

B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;

C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;

D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and

E. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

Incidentally, for those of you, like me, who are fascinated (yes, it is true, I admit it) by the many and differing definitions of "Personal Information" out there in this country, you may be interested to note the FTC's definition for purposes of this settlement:

“Personal information” shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license number; (g) a credit card or debit card account number; (h) a persistent identifier, such as a customer number held in “cookie” or processor serial number, that is combined with other available data that identifies an individual consumer; or (i) any information that is combined with any of (a) through (h) above.

We fully expect to see more FTC action in this area.  Stay tuned for settlement number 28.

In our current legal structure, even though such information flows around the world at breakneck speed, the definition of personal information ultimately depends on where you reside - and that, in turn, has grown out of social and cultural expectations. In the United States this has traditionally meant information that can be used to identify and victimize you (i.e., identity theft) - Social Security number, financial account number, and now, to a growing extent, medical information - although, in some new state statutes, the definition is much more broad.  In Europe, the answer, for cultural and historical reasons, continues to be much more expansive, encompassing just about anything that can identify an individual.

So when an individual shares information on Facebook about his or her favorite music, or holiday plans, or the color of a piece of clothing, does that constitute "personal information"? What are consumers' reasonable expectations about how that information, if disclosed publicly -- or not so publicly (e.g., to one's "friends") -- should be used? And should the government regulate the sharing and use of such information by data brokers, social networks, cloud computing vendors, and advertisers?

Last year, the FTC introduced self-regulatory principles for behavioral advertising, but issued a warning that advertisers had one last chance before the FTC would take further steps to regulate. Has that time come? Mr. Vladeck told the New York Times today that the FTC will issue a report in June or July.  Chairman Leibowitz said:

I have a sense, and it’s still amorphous, that we might head toward opt-in.

What would such opt-in look like and how would it operate?  Is any opt-in solution manageable in the online world? Can any proposed model keep up with rapid changes in technology and consumer expectations?  And will this focus on online privacy issues affect and/or eclipse the progress of the many pending federal data security and breach notification bills?

We shall see.

"We do not seek to collect personally identifiable information from persons under the age of 13 without prior verifiable parental consent. If we become aware that we have inadvertently received such information online from a child under the age of 13, we will delete it from our records. If you are under the age of 13, please do not submit any personally identifiable information to us. If you are the parent or guardian of a person under the age of 13 who has provided personally identifiable information to us, please inform us by contacting us at info@iconixbrand.com and we will remove such information from our database. If you are concerned about your children's use of the Site, you may use web filtering technology to supervise or limit access to the Site."

In addition to the $250,000 penalty, pursuant to the settlement, Iconix must, among other things, delete all personal information collected and maintained in violation of COPPA, distribute the settlement order and the FTC’s “How to Comply with the Children’s Online Privacy Protection Rule” to company personnel, and link to the FTC's www.OnGuardOnline.gov Web site on any Iconix Web site that collects or discloses children’s personal information and on any Iconix site that offers the opportunity to upload writings or images, create publicly viewable user profiles, or interact online with other Iconix site visitors.

Of course, this is not the first time the FTC has brought and settled COPPA charges.  There have been more than a dozen COPPA enforcement cases, the most notable being a 2008 $1 million settlement with Sony BMG and a 2006 $1 million settlement with Xanga. 

The FTC's most recent COPPA enforcement action is another reminder of (a)  the importance of posting a privacy policy that accurately reflects a company's practices with respect to children's (and others') personal information; and (b)  the need for legal, marketing, and IT to work hand-in-hand in developing kid-friendly and compliant online campaigns.

State Security and Breach Notification Laws

Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.

All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”

Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.

Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.

Massachusetts

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.

The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.

Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.

The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:

“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .

(5) Encryption of all personal information stored on laptops or other portable devices . . .”

The level and type of encryption are not specified.

Nevada

Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.

The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.

Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”

“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:

‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:

(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and

(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”

Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.

HITECH

Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.

HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:

“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”

Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.

Red Flags

The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.

The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
 

The FTC's Position on the Scope of the Red Flags Rule

While it is obvious that the Red Flag Rule applies to traditional financial institution type companies (e.g. banks, credit unions, mortgage companies, etc.), the FTC's interpretation of "covered entities" could impose the Red Flags Rule on "non-financial" entities.  The Rule defines "covered entities" as either "creditors" or "financial institutions."  The current controversy revolves around the term "creditor," which is defined by the Rule by referring to the definition in the Equal Creditor Opportunity Act ("ECOA").  Under the ECOA, "creditor" means:

"any person who regularly extends, renews, or continues credit;  any person who regularly arranges for the extension, renewal or continuation of credit; or any assignee of an original creditor who participates in the decision to extend, renew or continue credit."

The ECOA defines "credit" as "the right granted by a creditor to a debtor to defer payment of debt or to incur debts and defer its payment or to purchase property or services and defer payment therefor."  In a letter to the American Medical Association on this issue, the FTC cited Federal Reserve Board's elaboration on the definition of creditor and credit:

In its Official Staff Commentary to Regulation B, the Federal Reserve Board makes clear that the terms "creditor" and "credit" under the ECOA should be interpreted broadly so as to include all entities that defer payments, even in the normal course of a traditional billing process.' As the Official Staff Commentary states, "[i]f a service provider (such as a hospital, doctor, lawyer, or merchant) allows the client or customer to defer the payment of a bill, this deferral of a debt is credit for purposes of the regulation, even though there is no finance charge and no agreement for payment in installments.

In the same letter, the FTC also cited favorably to a legal treatise on the issue:

Similarly, one recent legal treatise on the subject explains that "[b]ecause credit under the ECOA involves any simple deferral of payment, even if there are no finance charges or installments, the ECOA applies to many transactions where the consumer pays after receiving the goods or services, such as doctor and hospital bills, bills from repair persons and other workers, and even a local store where a customer runs up a tab.""

The Impact of the FTC's Interpretation

The FTC's interpretation of "creditor" potentially extends the Red Flags Rule to large swaths of the economy.  Taken to its logical conclusion, any company that does not require immediate payment for goods or services could be considered a "creditor."  This could include law firms, hospitals, insurance companies, telecommunication companies, doctors and a host of other businesses that provide products or services and bill for them later.  While the number of entities that need to comply with the Rule may be significant, the FTC also recognizes that entities posing a lower risk of identity theft may comply with the Rule by implementing simple (relate to high-risk entities) written Identity Theft Programs.  The difference between low-risk and high-risk will vary depending on the particular circumstances.

What should a company do if it does allow deferred payments?

At this point, it appears that such companies must investigate whether they handle "covered accounts" and ascertain the identity theft risk associated with those accounts.  The Rule is also, unfortunately, not clear on what constitutes a covered account in this context.  Moreover, since business models vary, the risk posed and red flags established will likely vary between companies.  Company's should retain counsel to work through these issues and help develop an Identity Theft Program.

In theory at least, lower risk and less complex entities will face lower compliance burdens and costs to achieve compliance.  Nonetheless, because of the need to investigate the applicability of the law and the potentially fact-intensive process of assessing identity theft risk and crafting a program for a particular company, the costs may be significant for some companies (especially "high-risk" entities).  More coming on compliance burdens in a future article on this blog.