Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

The FTC developed the proposed framework in recognition of increasing advances in technology that allow for rapid data collection and sharing that is often invisible to consumers. The framework is designed to reduce the burdens of protecting online privacy on consumers and businesses. The report is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.

Building on the FTC’s guidance on behavioral advertising, the proposed framework seeks to further expand the scope of protected data beyond the traditional notions of “personally identifiable information.” Specifically, the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share or otherwise use consumer data that can reasonably be linked to a specific consumer, computer or device.

In developing the proposed privacy framework, the FTC observed that:

•  there is ubiquitous collection and use of consumer data online;

• the distinction between personally identifiable information and anonymous or de-identified information is blurring;

• the increased flow of information, including consumer data, creates significant economic benefits;

• the FTC’s existing “notice-and-choice” model of privacy protection has led to companies publishing privacy policies and notices that are long, legalistic disclosures that consumers usually do not read and do not understand;

• current privacy policies force consumers to bear too much burden in protecting their privacy;

• the FTC’s existing “harm-based model” of privacy protection, while focusing on protecting consumers from specific harm (e.g., physical or economic) has failed to recognize less tangible privacy concerns such as reputational harm or the fear of being monitored;

• both of the FTC’s privacy protection models (“notice-and-choice” and “harm-based”) have failed to keep up with data collection technology, including data collection that is invisible to consumers and website owners;

• industry efforts to address privacy through self-regulation have been “too slow” and have failed to provide adequate and meaningful protection to consumers;

• some companies manage consumer information in an irresponsible and even reckless manner, and many companies do not adequately address consumers’ privacy interests;

• many consumers are not informed about or cognizant of the risks associated with the collection, sharing and other use of their personal information; they lack understanding and ability to make informed choices about the collection and use of their data.

To reduce the burden on consumers and ensure basic privacy protections, the report makes a number of recommendations, which are summarized below.

1.       Privacy by Design

The report recommends that companies adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include reasonable security for consumer data, limited collection and retention of such data, secure disposal of the data and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services. The report calls for companies to implement these concepts in a systematic manner, scaled to each company’s business operations, including the amounts and types of data the organization processes. 

2.      Notice

The report calls on companies to improve their privacy policies and notices so that interested parties can compare data practices and choices across companies. For example, to facilitate meaningful choice, the FTC is recommending just-in-time concise notice and choice at the data collection point or before a consumer accepts a product or service. The FTC believes that privacy policies will continue to play an important role in promotion transparency, accountability and competition among companies on privacy issues – but only if the policies are clear, concise and easy to read. The report also recommends consideration of standardized privacy notices that allow consumers to compare information practices of competing companies. Finally, the FTC has reminded organizations that they must provide robust notice regarding material, retroactive changes to data practices and obtain affirmative consent to such changes.

3.      Choice, Including a Do-Not-Track Mechanism

The report calls for companies to provide choices to consumers about companies’ data practices in a simpler, more streamlined manner than has been used in the past. Consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. The report suggests that, to simplify choice for both consumers and businesses, companies should not have to seek consent for certain commonly accepted practices associated with processing consumers’ transactions, internal business operations (such as improving services), fraud prevention, legal compliance and first-party marketing. Some of these data uses are apparent in the context of the transaction, while others are accepted or necessary for public policy reasons. For data practices that are not commonly accepted or necessary, consumers should be able to make an informed and meaningful choice. The FTC used the report to remind organizations that they must obtain affirmative consent for material, retroactive changes to their data practices.

One method of simplified choice the FTC has recommended is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The FTC has recommended a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The FTC believes that a practical solution is technologically feasible and suggests that the most practical method could involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted advertising.

4.      Access

The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Because of significant costs associated with access, the report suggests that access should be proportional to both the sensitivity of the data and its intended use.

We note that the data access principle, although novel in the U.S., is a well-established requirement in the European Union and some other jurisdictions that have adopted omnibus data protection regimes. In addition, providing reasonable access to personal data is one of the seven privacy principles mandated by the EU-U.S. and Switzerland-U.S. Safe Harbor programs. Accordingly, many U.S. entities that have certified compliance with the Safe Harbor are already complying with the data access requirement with respect to personal data they receive from Europe.

5.      Privacy Awareness

The FTC has proposed that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. The FTC believes that increasing consumers’ understanding of commercial data collection practices will facilitate competition on privacy among companies.

6.      Enforcement

The FTC reiterated its resolve to take action against companies that “cross the line” with consumer data and violate consumers’ privacy – especially when children and teens are involved. The Commission also made clear that consumers’ choices should be respected. The FTC will not tolerate use of technology to circumvent consumer choice.

In issuing the report, the commission posed a series of questions to privacy stakeholders. The deadline for submitting comments to the FTC is January 31, 2011. The questions concern the scope of the companies and data to which the framework should apply; the substantive privacy protections the framework offers; data management procedures; practices that should require meaningful choice; the “do-not-track” proposal; transparency of privacy practices and improvement of privacy notices; data access; and consumer education.

Please check back with us as we address the report in more detail in the coming days.

What is the “Safe Harbor and Self-Regulatory Choice Program” that is referenced in the Act?

This appears to be a novel new mechanism that allows covered entities to avoid certain obligations under the Act if they fall into a “safe harbor” that is based on a self regulatory program (known as a “Choice Program”). In particular, covered entities that satisfy certain Choice Program requirements shall not be subject to:

• the express affirmative consent obligations in 104(a);

• the requirements of access to information under section 202(b) of the Act; or

• liability in a private right of action brought under section 604 of the Act (discussed below)

Avoidance of the Act’s private right of action is especially significant in this context.

How does the “Choice Program” work?

It appears that people or entities (it does not appear to be limited to covered entities) can submit an application to the FTC for approval of a self-regulatory program (a.k.a Choice Program). The FTC can approve one or more of these programs. The FTC must either initially approve or deny a Choice Program within 270 days after the submission of the application. Modifications may be made to a Choice Program that was initially approved, and such modification must be approved or denied by the FTC within 120 days. Applicants have the right to appeal the FTC’s decision or failure to act within the 270 period to a U.S. District Court.

The FTC will only approve a Choice Program (or amendments) after notice and comments, and only if it satisfies the requirements of section 403 of the Act. If approved, a Choice Program remains approved for 5 years.

This section is very interesting as it appear to allow for some regulatory flexibility and recognizes the limitations of a one-sized-fits-all approach. Ostensibly certain industry segments could develop a Choice Program that more close fits their business model/industry (while of course still providing the protection and choice the Act seeks to impose).

What are the requirements of a Choice Program under section 403 of the Act?

In order to be approved a Choice Program must meet certain criteria. The Choice Program must provide individuals with:

• a clear and conspicuous opt-out mechanism that, when selected by the individual prohibits all covered entities participating in the Choice Program from disclosing covered information to a third party for one or more specified uses, and may offer individuals a preference tool to enable individuals to make more detailed choices about the transfer of covered information to a third party; and

• a clear an conspicuous mechanism to set communication preferences, online behavioral advertising preferences and other relevant preference options, and these preference would have to be followed by all covered entities in the Choice Program.

I almost think of this as a sort of “do not call list” type of mechanism. If a group of covered entity can agree to provide individuals with a set of choices, the individual does not have to constantly make a choice over and over again whenever engaging in particular transactions. While this is a little vague in terms of its mechanics and scope, it is very interesting and could provide meaningful trade-offs between business and individuals seeking to protect their privacy and more efficiently control their information.

In addition, a Choice Program will be approved by the FTC only if it establishes:

• Guidelines and procedures requiring participants to provide equivalent or greater protection for individuals and their covered information as set forth in titles I and II of the Act;

• Procedures for reviewing applications by covered entities to participate in the Choice Program (this appears to require an application and approval process, but it is not clear who would administer that process)

• Procedures for periodic assessment of the Choice Program’s procedures

• Periodic compliance testing of covered entities participating in the Choice Program; and

• Consequences for failure to comply with program requirements (e.g. public notice, suspension, expulsion or referral to the FTC)

Again, this provision is extremely interesting. It would appear to require some sort of private regulatory body be set up around the Choice Program (e.g. like the PCI Council for the PCI Standard), as well as a funding mechanism. Note that under section 404 of the Act, the FTC is charged with implementing regulations to provide further details as to how this safe harbor system is to work.

Are there any types of information or activities exempted from regulation by the Act?

Yes, section 501 of the Act sets forth some general exclusions. The Act does not prohibit a covered entity from collecting, using or disclosing:

• Aggregate information (see 501(a)(1)), which means data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed; or

• Covered information or sensitive information from which identifying information has been removed or obscured using reasonable/appropriate methods such that there is no reasonable basis to believe that the information can be used to identify the specific individual to which it relates or the computer or device owned or used by a specific individual (see 501(a)(2)).

May covered entities disclose aggregate information or information stripped of identifying information (as referenced in section 501(a)(1) and (2)) to third parties?

Yes, under section 502 information in that format may be disclosed to a third party, but the covered entity is required to take reasonable steps to protect that information. The Act provides two examples of “reasonable steps to protect,” including:

• refraining from disclosing to the third party the algorithm or other mechanism used to obscure or remove the identifying information, and obtaining; and

• obtaining satisfactory written assurances from the third party that it will not attempt to reconstruct the identifying information.

Does the Act prohibit any uses of covered/sensitive information stripped of identifying information (as referenced in section 501(a)(2))?

Yes, under section 501(c), if a covered entity claims the exemption for de-identified information under section 501(a)(2), it is unlawful for any person to reconstruct or reveal the identifying information that has been removed or obscured from information stripped of identifying information (as referenced in section 501(a)(2)). In short, the Act makes it illegal for third parties that receive de-identified covered/sensitive information to re-identify it. However, the Act also requires the FTC to promulgate regulations to establish exemptions from this rule.

How does the Act relate/interact with other Federal privacy laws?

Section 502 of the Act indicates that, unless expressly provided for in the Act, the Act shall not have any effect on activities already covered under other Federal laws, including GLBA, FCRA, HIPAA, certain parts of the Social Security Act, COPPA, certain sections of the Communications Act of 1934, CAN-SPAM Act, ECPA, and the Video Privacy Protection Act. On the one hand, this provision may be helpful for limiting the scope of the Act’s application to some entities, especially those that only deal with particular types of personal information. However, since the Act does not override other Federal requirements, entities that deal with different types of personal information in different contexts, may find themselves with the need to address multiple regulatory regimes for different parts of their organization or with respect to different business practices.

How is the Act to be enforced by government agencies?

Under section 602, the Act may be enforced in two different ways by the government. First, the Act grants the FTC the authority to enforce the Act under section 18(a)(1)(B) of the FTC Act. The Act indicates that any violation of titles I – III of the Act shall be considered an unfair and deceptive act or practice under the FTC Act. The penalties, privileges and immunities of the FTC Act shall apply as well.

Second, under section 603, the Act may also be enforced by the states. In particular, if a State AG or an official or agency of a State has reason to believe that an interest of the residents of that State has been or is threatened or adversely affected by a violation of the Act, they may bring a civil action on behalf of those residents. However, no AG or state official/agency may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. The civil action may seek to enjoin further violation of the Act, compel compliance with the Act or impose civil penalties as described in the Act. The Act describes the various civil penalties that are available for violations of particular sections of the Act. In general penalties may be available for every day that a covered entity is not in compliance with the act, up to $11,000 per day. These penalties, however, are capped at $5 million for a related series of violations under title I of the Act, and $5 million for any related series of violations under titles II and III of the Act.

Does the Act provide a privacy right of action?

Yes, section 604 of the Act provides a private right of action for certain violations. In particular, covered entities that willfully violate sections 103 or 104 of the Act may be liable to affected individuals. However, no individual may bring an action under section 604 if they are also bringing an action under the laws of any relevant State. Section 604 provides that affected individuals may recover the following amounts for such a willful violation:

•  the greater of actual damages of not less than $100 and not more than $1000;

•  punitive damages;  and

• in the case of a successful action under this section, the costs of the action together with reasonable attorney fees.

Individuals have two years from their discovery of a violation (or reasonable opportunity to discover) to bring a civil action under section 604.

Does the Act preempt similar State laws?

The Act would preempt any State law with respect to covered entities that “expressly requires covered entities to implement requirements with respect to the collection, use or disclosure of covered information address in the Act. However, the Act specifically would not preempt any of the following State laws:

• State laws that address the collection, use or disclosure of health information or financial information

• State breach notice laws

• State trespass, contract or tort law; or

• Other State laws to the extent that those laws related to acts of fraud.

When would the Act come into effect if passed into law?

The Act, if passed, will take effect 2 years after the date it is enacted. However the FTC has the option to stay enforcement of the Act in order for the FTC to establish the parameters of the Choice Program under title IV.

Author’s Note: Wow, this blogpost became very long. I did not realize how difficult it would be to try to explain complex risk of loss provisions in something closer to plain English. This post is may be difficult to wade through. However, it contains a good deal of valuable information (or at least I think so anyway). In short, these are the types of issues that are best explained orally. So if you would like to discuss these matters, feel free to contact me at 303.325.3528. Also, I will respond to comments here on the blog if you have any questions. Thanks – Dave.

Risk of Loss Contract Terms Primer

This is just a very quick general primer concerning the risk of loss terms that often appear in contracts:.

• Limitation of Liability Clauses. Limitation of liability clauses (“LOLs” for short) are fairly straightforward. They simply set the cloud provider’s monetary cap for loss or damages owed to the customer under the contract. The amount of the cap often relates to the revenue or income being generated by the service provider (e.g. liability is limited to the amount of fees earned over the prior twelve month period by the service provider). Most limits of liability purport to limit liability for any liability arising out of the services provided under the agreement, whether such liability arises out of the contract, tort or statute. Significantly, even if a customer is able to get favorable privacy and security terms from a cloud provider, they may only be able to recover up to the LOL should the provider breach those terms. Also important, cloud contracts may have exceptions to the LOL that allow the customer to recover for certain types of losses, including for example, confidentiality breaches and indemnification-related losses.

• Warranty Disclaimers. Service providers may provide certain warranties concerning their services, but then typically desire to disclaim all other warranties and guarantees concerning their services. The reason is obvious; they do not want to be held to a higher standard of care that a warranty may encompass. Service providers want to also avoid liability for implied warranties because of uncertainty and legal risk associated with potential warranties their services may imply. Customers desire to get as many warranties as possible, and to have loss arising out of warranty breaches of those warranties not be subject to contractual limitations of liability.

• Consequential Damages Disclaimers. Many Cloud contracts will contain clauses whereby the service provider disclaims any liability for “consequential damages.” Examples of consequential damages include loss of profits, loss of use of goods and reputation loss. While these examples are more straightforward it is often difficult to ascertain whether a particular loss constitutes consequential damages (not recoverable if disclaimed properly) versus “direct damages” (recoverable). For example, some Cloud providers may argue that breach notice costs or fines or penalties arising out of a security breach in violation of a contract may constitute consequential damages, and therefore be disclaimed and not recoverable by a customer.

• Indemnification Clauses. Certain actions by a Cloud provider, such as a security breach or non-compliance with a security or privacy law, could lead to certain losses suffered by the customer, including lawsuits, claims, regulatory actions and the incurring of breach notice expenses, forensic expenses or attorney fees. Indemnification clauses allow the indemnitee to recover losses associated with these types of claims and expenses from the indemnitor.

In this context for example, a Cloud provider might agree to indemnify a customer for lawsuits by the customer’s consumers who were impacted by a security breach suffered by the Cloud provider. The indemnification clause may require the service provider to pay for the cost to mail notice to individuals impacted by a security breach as dictated by breach notice laws. Note that indemnification clauses may be subject to a contract’s LOL if the clause does not include a carve-out or exception for indemnification obligations.

Now let's look at how these contract terms are used in the CSC and Google contracts.

Risk of Loss Terms in the CSC Contract

It appears that LA was able to obtain some favorable risk of loss terms, including unlimited liability for CSC with respect to certain loss elements related to security and privacy breaches. Significantly, CSC has agreed to be responsible for certain liabilities that may arise from Google’s (its subcontractor) acts, errors and omissions. Nonetheless, some interpretative issues exist arguably limit CSC’s obligations.

Warranties and Warranty Disclaimer

CSC provides some generic warranties in the CSC Contract (e.g. such as warranting that they are duly incorporated and in good standing), but also provides two additional warranties relevant to data security and privacy, including a warranty to comply with all laws and regulations “applicable to the performance by it of it is obligations under the Contract” (section 5.1.5), a warranty to use commercially reasonable virus detection software with respect to the software licensed under the CSC Contract, and a warranty to refrain from intentionally including computer viruses in the licensed software. CSC disclaims all warranties beyond those explicitly set forth in Section 5 of the CSC Contract.

While these warranties are substantive and provide the City of LA with a basis to claim breach of contract or breach of warranty if CSC violates them, any loss that arises out of a warranty breach is subject to and capped by the limitation of liability clause in the CSC Contract (discussed below). This raises an important point for customers negotiating Cloud contracts – you may fight hard and negotiate for a long time on substantive obligations such as warranties, but unless you get an exception to the LOL for breaches of warranties, your ability to fully recover loss for breach of warranty may be limited. 

Consequential Damages Disclaimer

Section 15.1. of the CSC Contract sets forth a fairly typical consequential damages disclaimer, which purports to relieve CSC of any liability arising out of “special, indirect, consequential or incidential losses or damages.” There are, however, two issues that jump out from the clause.

First, the clause also disclaims any liability for “penalties.” Penalties can arise in the security/privacy context out of contractual arrangements (e.g. fines and penalties imposed by Visa due to a payment card data breach) or regulatory actions (e.g. fines and penalties imposed by regulators due to violations). While some may argue that fines and penalties are “direct damages,” one could argue that this CSC clause pulls “penalties” out of the consequential/direct damages dichotomy and puts them in a separate category of loss that CSC is not responsible for.

Second, CSC’s disclaimer specifically references “lost or damaged data” as a consequential damage. As such, in the event of a security breach involving personal, CSC may argue that it has no liability to the extent such breach involved “lost or damaged data.”

Notably there are no exceptions to the consequential damages disclaimer, which may be problematic for the City. For example, assume that LA gets sued after a security breach involving credit cards and is required to pay a penalty to a card brand. Despite the indemnification language, CSC might take the position that it is not responsible for such penalty.

Indemnification

The CSC Contract contains several indemnification clauses whereby CSC agrees to indemnify LA under certain circumstances. We will focus on those related to security and privacy, which are set out in sections 15.5.2 an 15.5.3 of the CSC contract. Section 15.5.2, provides as follows:

In addition, Contractor undertakes and agrees to defend, indemnify and hold harmless City [ . . .] from and against all third party suits and causes of action, claims, losses, demands and expenses, including but not limited to, attorney’s fees and costs of litigation, damage or liability of any nature whatsoever, that [CSC or its Subcontractor] have breached its obligations to City under Section 10 (Confidentiality and Proprietary Rights) only with respect to the disclosure of such End User’s information and to the extent such disclosure is the result of actions predominantly attributable to (as agreed by the parties, said agreement, not to be unreasonably withheld) [CSC or its Subcontractors]

In addition, section 15.5.3 requires CSC to indemnify LA for similar loss elements arising out of “lost City Data.” Such indemnification obligations appear unlimited with respect to events occurring within 30 days after LA’s full and final acceptance of the services, and are capped at $7.7 million after that 30 day period.

Limitation of Liability

Section 15.1.2 sets forth an interesting limitation of liability clause. The limitation of liability under the CSC contract actually changes over time during the contract. During the first 12 months the LOL is $2.1 million, for months 13-24 the LOL is $1.4 million, for 25-36 it is $1.4 million, etc. through the end of the 60 month contract. What is somewhat unclear is whether the LOL’s for each year are cumulative. 15.1.2 does indicate a $7.7 million "total", but that may be for the entire contract not a given year. For example, the total for months 25-36 is $4.9 million, but the LOL for those months is $1.4 million. Does that mean that the most the company can recover during those months is $1.4 million, or can they recover up to the total of $4.9 million in that year? Not clear.

The scope of this LOL is also arguably unclear. For example, does this LOL apply to liability that arises out of breach of contract only, or does it also limit liability for torts outside of the contract such as negligence or fraud? Many LOLs that I have seen specifically indicate that the LOL applies to contract, tort, statute or any other theory of liability.

As part of the limitation of liability section, 15.1.3.1 sets forth a liquidated damages provision that allows LA to recover $10,000 for an incident involving a breach of confidentiality obligations by CSC. Incident in this case means “all disclosures of City Data to unauthorized recipients arising from the same specific cause or causes.” This provision does not apply to confidentiality breaches by Google or its subcontractors. The contract gives the City the ability to waive this provision and seek actual damages.

Significantly, CSC’s indemnification obligations in section 15.5 are not subject to the LOL. This means that CSC’s indemnification obligations under 15.5.2 (for breach of confidentiality) are unlimited. CSC’s indemnity obligations for “lost City Data” under 15.5.3 are also not subject to the staggered LOL in 15.1.2.  Rather, as mentioned above, section 15.5.3 has its own built in $7.7 million LOL. In addition, under 15.1.3., liability for breach of any confidentiality obligation is not subject to the limitation of liability under 15.1.2. All other provisions, breaches, liabilities and losses are purportedly subject to the LOL.

Observations

The risk of loss terms in the CSC Contract raise several issues related to privacy, security and legal compliance. The following matters suggest that CSC is accepting a broad range of liability:

• Google is defined as a CSC “Subcontractor.” Therefore, as respects indemnification for a breach of confidentially obligations or for lost City Data, CSC would be responsible to pay for Google’s act or error.

• CSC’s Indemnification Obligations for End User Information Confidentiality Breaches are Unlimited. The LOL in the CSC contract explicitly exempts CSC’s indemnification obligations under 15.5.2 from the damage cap of the LOL.

• "Direct Damages" for Breach of Confidentiality Obligations are Unlimited. Section 15.1.3, specifically indicates that the contract’s LOL does not apply to breaches of confidentiality obligations. However, as mentioned in Part One, some service providers might take the position that a third party accessing and stealing data is not an “affirmative disclosure” by CSC or its Subcontractors (e.g. CSC did not consciously disclose such information).  Moreover, since CSC attempts to disclaim liability for "lost or damaged data," the scope of "direct damages" arising out of a security breach may be limited.

The following issues are potential limiting factors with respect to the liability accepted by CSC under the contract:

• No CSC Liability for "lost or damaged data”.  As mentioned above, the consequential damages disclaimer explicitly includes “lost or damaged data” as part of consequential damages.  While awkwardly drafted, this provision may essentially eliminate CSC liability for some data security breaches.  However, depending on the definition of "lost" in the security breach context, the scope of this limitation may be narrow.

• No Indemnification for Failure to Implement Security. There are no explicit indemnification obligations with respect to CSC’s information security obligations set forth in section 11 of the CSC contract, and any recovery by LA would be argued to be limited by the LOL and the consequential damage disclaimer.

• No Indemnification for Breaches of Privacy and Security Laws. There is no explicit obligation to indemnify the City should CSC or its Subcontractors violate a security or privacy law.

• Breaches of Warranty are Subject to the LOL. In some service provider contracts, a breach of warranty may not be limited by the limitation of liability clause. Not so for purposes of the CSC contract.

• No Explicit Security Breach Indemnification and the Meaning of “Disclosure”. In Section 15.5.2, there is no explicit indemnification for a security breach that involves a third party gaining unauthorized access to City Data. While there is indemnification for “disclosure” of End User data, as mentioned in Part One, some service providers might take the position that a third party accessing and stealing data is not an “affirmative disclosure” by CSC or its Subcontractors (e.g. CSC did not consciously disclose such information).

• No Explicit Security Breach Indemnification and the Meaning of “Lost.” Section 15.5.3 also provides indemnification for “lost City Data,” and that could arguably encompass a security breach situation (or at least a subset thereof). However, some might argue that data taken by a third party is not “lost.” If a copy of the data remains, has it been “lost?” Does “lost” apply only to situations such as lost laptops with data on them, such that the data is irretrievable? The City could have clarified CSC's obligation by inserting into the contract references to unauthorized access or use of City Data, and perhaps stolen or unauthorized copying of data.

• Breach Expense Elements. There is no explicit indemnification for breach notice expenses, forensic expenses, credit monitoring expenses or call center expenses (although such expenses could be argued to be included as indemnifiable expenses in general).

• Mutual Agreement for Indemnification for Confidentiality Breaches. CSC's indemnification obligations in section 15.5.2 may be hard for LA to enforce because it requires that CSC and LA mutually agree that the disclosure of End User information was “predominantly attributable” to CSC and its Subcontractors. While there is a reasonableness standard built into that mutual agreement requirement, the practical reality is that it might be difficult to get CSC agree to indemnify, especially if large amounts of money are at issue.

• Indemnification for Confidentiality Breaches Limited to End User Data. Rather than indemnifying for breaches involving any City Data, section 15.5.2 only applies to “End User’s information.” The term “End User” appears to have been pulled from the Google Contract (which is attached as an exhibit to the CSC Contract) and is defined as the individuals the City permits to use the Services.

The scope of “End User information” is not clear. For example, End User information might refer to the personal information of Google’s SaaS users that they input in order to use the software (e.g the name and particulars of City employees that use Google’s SaaS). In that case it might not include, for example, a database sent by LA employees using the software containing the personal information of City residents. It would probably have been better from the City’s point of view to define that term, or to have used a broader term such as “protected information” as set defined in Section 11 of the CSC Contract.

Risk of Loss Terms in the Google Contract

The Google Contract also has its own risk of loss contract language. While the Google contract has some of the same provisions as the CSC Contract, some of Google’s risk of loss terms are actually simpler and more straightforward. Overall, the Google Contract does provide unlimited liability for security and privacy breaches in some circumstances, and actually may provide slightly more protection to LA (as compared to the CSC contract).

Warranties and Warranty Disclaimer

Google provides some very basic warranties, which are not really related to security or privacy. Google does, however, warrant that it will comply with its service level agreement, which relates to availability aspects of security. All other warranties are disclaimed.

Consequential Damages Disclaimer

Section 14.1 of the Google Contract disclaims “consequential damages” as follows:

NEITHER PARTY WILL BE LIABLE UNDER THIS AGREEMENT FOR LOST REVENUES OR INDIRECT, SPEICAL, INCIDENTIAL, CONSEQUENTIAL, EXEMPLARY OR PUNITIVE DAMAGES, EVEN IF THE PARTY KNEW OR SHOULD HAVE KNOWN THAT SUCH DAMAGES WERE POSSIBLE AND ENVE IF DIRECT DAMAGES DO NOT SATISFY A REMEDY.

Significantly, however, section 14.3. of the Google Contract indicates that the consequential damages disclaimer does not apply to breaches of confidentiality obligations or indemnification obligations.

Indemnification

Section 13.2.3 of the Google Contract contains an indemnification clause that is very similar (if not exact) to the version contained in section 15.5.2 of the CSC Contract, which provides indemnification for breaches of section 7 of Google’s Contract (Confidential Information section), but only with respect to disclosure of End User information, and only if the Google and LA mutually agree that the disclosure was “predominantly attributable” to Google (or its subcontractor).

Section 13.2.4 of the Google Contract also contains a provision providing indemnification for “lost Customer Data” (again similar to/same as section 15.5.3 of the CSC Contract). Liability is unlimited for indemnification under 13.2.4 until 30 days after the City has accepted the services, and thereafter is capped at $7.7 million.

Limitation of Liability

The limitation of liability clause of the Google Contract provides as follows:

NEITHER PARTY MAY BE HELD LIABLE UNDER THIS AGREEMENT FOR MORE THAN THE AMOUNT PAID BY CUSTOMER TO RESELLER DURING THE TWELVE MONTHS PRIOR TO THE EVENT GIVING RISE TO THE LIABILITY.

However, section 14.3. of the Google Contract indicates that the LOL does not apply to breaches of confidentiality obligations or indemnification obligations.

In addition, this LOL may arguably relate only to liability for breach of the Google Contract (“this Agreement”). The LOL does not specifically indicate that liability is limited for torts outside of the contract such as negligence or fraud, or violations of statutes.  As such, if LA sued Google under a negligence theory some might argue that Google is not protected by this LOL.

Observations

The risk of loss terms in the Google Contract raise several issues related to privacy, security and legal compliance. The following matters suggest that Google is accepting a broad range of liability in the Google Contract:

• Direct Damages and Consequential Damages Unlimited for Breaches of Confidentiality Obligations.  Breaches of confidentiality obligations under the Google Contract are not subject to the LOL, and therefore Google's liability arising out of such breaches is  potentially unlimited. Note, however, that there may be some “natural limits" with respect to consequential damages that may apply (e.g. foreseeable loss). On its face, the Google Contract is broader in terms of the liability Google has explicitly agreed to for confidentiality breaches.  Nonetheless, the true scope of Google's liability depends on the meaning of confidentiality breach under the Google Contract (discussed further below).

• Google’s Indemnification Obligations for Confidentiality Breaches are Unlimited. If Google’s indemnity obligation is triggered, it is not limited by the LOL in Google's Contract. However, as discussed below, the scope of those indemnification obligations may be limited, and it may be difficult to actually trigger those obligations.

• Broader Confidentiality Obligations? Unlike the CSC contract, Google's confidentiality obligations also explicitly require Google to “protect” LA’s confidential information using the same standard of care that Google uses to protect its own confidential information (and in no event less than reasonable care). This is in addition to an explicit duty to “not disclose” LA’s confidential information (by the way, Confidential Information as defined explicitly includes “Customer Data.”).  The addition of this explicit duty to protect arguably would encompass a security breach where a third party was able to obtain or access LA’s data stored or processed by Google. Ironically, CSC might use Google’s explicit reference to this protection obligation to argue that its obligations were limited to “disclosure” (in the affirmative sense of giving away confidential information). However (as discussed), based on the same logic set, Google may have an argument that is indemnification obligations for confidentiality breaches are limited to "dislcosures."

The following identifies potential limiting factors with respect to the liability accepted by Google under the contract:

• No Indemnification for Breaches of Privacy and Security Laws. There is no explicit obligation to indemnify the City should Google or its subcontractors violate a security or privacy law.

• No Explicit Security Breach Indemnification and the Meaning of “Disclosure” in 13.2.3. There is no explicit indemnification for a security breach that involves a third party gaining unauthorized access to the City’s data. Moreover, the indemnification clause set forth in 13.2.3 relates only to the “disclosure” of End User information, as mentioned in Part One, some service providers might take the position that a third party accessing and stealing data is not a “affirmative disclosure” by Google. This argument might be buttressed by the fact that the Confidentiality section of the Google contract also references a duty to “protect,” but that duty is not referenced in the indemnification clause.

• Indemnification for Confidentiality Breaches Limited to "End User information". Rather than indemnifying for breaches involving any Customer Data (a term defined int the Google Contract), section 13.2.3 only applies to “End User’s information” (an undefined term). While the term “End User” is defined as the individuals the City permits to use the Services, the meaning of “End User information” is not clear. However, the definition of “Customer Data” which was  not used in the indemnification clause, arguably provides some indication as to the meaning of “End User information”:

“Customer Data” means all data and information provided by End Users via the sign-up process for the Services, as well as data, including email, documents, spreadsheets, presentations, and videos provided, generated, transmitted or displayed via the Services by Customer, or Reseller on behalf of Customer.

If Google wanted to argue for the limitation of its indemnification obligations, it might point to the Customer Data definition and maintain that “End User information” means the information End Users provide during the sign-up process (e.g. basically LA employee and contractor personal information). Google could argue that the data provided, generated or transmitted via the services is not End User information. This information could include, for example, personal information in a data base of LA residents that is sent in an email via Google's SaaS. Google would claim that if it intended to provide indemnification for confidentiality breaches involving this type of information it would have used the term Customer Data instead of “End User information” in the indemnification clause. The bottomline is that LA could have taken away any ambiguity simply by demanding indemnification with respect to Customer Data; they did not, so that uncertainty will linger.  Note that this could impact the scope of CSC's indemnification obligation since it refers to "End User information" as well.

• Mutual Agreement for Indemnification for Confidentiality Breaches. Section 13.2.3 may be hard for LA to enforce because it requires Google and LA to mutually agree that the disclosure of End User information was “predominantly attributable” to Google or its subcontractors. While there is a reasonableness standard built into that mutual agreement requirement, the practical reality is that it might be difficult to get Google agree to indemnify, especially if millions of dollars are at issue.

• No Explicit Security Breach Indemnification and the Meaning of “Lost.” This is basically the same issue discussed above concerning the CSC Contract. The Google Contract also provides indemnification for “lost Customer Data,” but again some might argue that data taken by a third party is not “lost.” If a copy of the data remains, has it been “lost?” Does “lost” apply only to situations such as lost laptops with data on them, such that the data is irretrievable? References to “unauthorized access” or “unauthorized use” of Customer Data, and perhaps stolen data may have expanded these indemnification obligations to cover security breach situations.

• Breach Expense Elements. There is no explicit indemnification for breach notice expenses, forensic expenses, credit monitoring expenses or call center expenses (although such expenses could be argued to be included as indemnifiable expenses in general).

Conclusion

So now that we arrive at the end of this blog series it is worthwhile to go back to the beginning. One of the goals of this series to was to validate reports that LA had convinced Google to be responsible for unlimited liability arising out of security breaches. At the end of the day, it appears that this statement is true at least with respect to some “security breaches,” but with many caveats and limitations.

It appears that Google has provided unlimited liability for direct and consequential damages for security breaches that are violations of the confidentiality obligations. While CSC’s obligations are arguably limited to unauthorized disclosures, Google could be in violation of its confidentiality breaches if it fails to protect LA’s information using the same standard Google employs internally and/or reasonable care (note that many would argue that "disclosure" includes this protection obligation, so CSC's obligations may be similar). So, with respect to the specific "protection" obligation, unlimited liability is available from Google for security breaches only if LA can establish that Google failed to protect LA’s information the same way Google protects its own or if Google used less than “reasonable care.” In other words, Google is not automatically liable for all of LA’s loss arising out of a security breach under this protection prong (note again, arguments may exist with respect to Google's disclosure obligations).

It is also possible for LA to get unlimited indemnity for City data “lost” (e.g. a lost laptop with personal information on it) due to acts or CSC or Google within 30 days of Google’s services being finally accepted by the City. It may also be possible (but is less likely) to get unlimited liability indemnification arising out of breaches of confidentiality involving “End User information.” This will depend, however, on the meaning of “disclosure” and “End User information.”   It will also require CSC and/or Google to essentially consent (e.g. mutually agree) to provide such indemnification (in my book this is not really a workable indemnification scenario, especially for big breaches where a lot of money is on the line;  CSC and Google are not likely to provide consent and there is no additional contract remedy if such consent is unreasonably withheld).

One final note, LA does have an advantage in terms of risk of loss because it has separate contracts with CSC and Google. As such, it can go after each company should a security or privacy breach occur. Moreover, even if a LOL applies, it may be able to collect from both Google and CSC (effectively doubling the LOL that is applicable to this transaction).

Thanks for reading through this series (assuming you made it this far). If you have any questions, you can contact me at 303.325.3528 or via email at dnavetta@infolawgroup.com

• Isn't the Boucher Bill just about online behavioral advertising conducted by large marketers?

No.  The Boucher Bill is proposed federal privacy and data security legislation that is very broad and far-reaching and goes way beyond regulation of online behavioral advertising as defined by the FTC.

• What would the Boucher Bill prohibit?

Under the Boucher Bill, a "covered entity" would be prohibited from collecting, using, or disclosing "covered information" from or about an individual for any purpose unless the covered entity (A) makes available to the individual a prescribed form of privacy notice prior to the collection of any covered information; and (B) obtains the consent of the individual to such collection in the manner set forth in the Bill.

This is interesting given that many regulators and legislators, including the FTC, have been calling for an end to the notice and consent model when it comes to meaningful privacy choice.

• What is a "covered entity"?

The Boucher Bill broadly defines a "covered entity" as any person engaged in interstate commerce that collects data containing covered information.  A covered entity would not include a government agency or any person that collects covered information from fewer than 5,000 individuals in any 12-month period and does not collect sensitive information.  Thus, it appears that just about any organization with more than 5,000 employees and/or customers would be a "covered entity" under the Boucher Bill.

• What is "covered information"?

The short answer is - just about anything that identifies (or even might identify) an individual.  "Covered information" is defined as, with respect to an individual, any of the following:

1. The first name or initial and last name.
2. A postal address.
3. A telephone or fax number.
4. An email address.
5. Unique biometric data, including a fingerprint or retina scan.
6. Social Security number, tax identification number, passport number, driver’s license number, or any other government-issued identification number.
7. A financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.
8. Any unique persistent identifier, such as a customer number, unique pseudonym or user alias, Internet Protocol address, or other unique identifier, where such identifier is used
   to collect, store, or identify information about a specific individual or a computer, device, or software application owned or used by a particular user or that is otherwise associated with a particular user.
9. A preference profile.
10. Any other information that is collected, stored, used, or disclosed in connection with any covered information described in 1-9 above.

• What is a "preference profile"?

A "preference profile" is a list of information, categories of information, or preferences associated with a specific individual or a computer or device owned or used by a particular user that is maintained by or relied upon by a covered entity.

• How would a "covered entity" collecting "covered information" provide the required notice?

The answer depends on whether the covered entity collects the information online or offline.

Online:  If a covered entity collects covered information through the Internet, the Boucher Bill requires that it must post a privacy notice clearly and conspicuously on the website through which the covered information is collected.  The privacy notice must be accessible through a direct link from the Internet homepage of the covered entity.  This is very much like California's Online Privacy Protection Act, Business and Professions Code section 22575 et seq. 

Offline:  Unlike California (or any existing state law), the Boucher Bill would require notice even where information is collected offline or by means other than the Internet.  If a covered entity collects covered information by any means that does not utilize the Internet, the Bill requires that notice be made available to an individual in writing before the covered entity collects any covered information from that individual.

• What information must be included in the privacy notice?

The privacy notice (for online and offline collection) must include all of the following:

1. The identity of the covered entity collecting the covered information;
2. A description of any covered information collected by the covered entity;
3. How the covered entity collects covered information;
4. The specific purposes for which the covered entity collects and uses covered information;
5. How the covered entity stores covered information.
6. How the covered entity may merge, link, or combine covered information collected about the individual with other information about the individual that the covered entity may acquire from unaffiliated parties [an "unaffiliated party" is any entity that is not related by common ownership or affiliated by corporate control with a covered entity];
7. How long the covered entity retains covered information in identifiable form;
8. How the covered entity disposes of or renders anonymous covered information after the expiration of the retention period;
9. The purposes for which covered information may be disclosed, and the categories of unaffiliated parties who may receive such information for each such purpose;
10. The choice and means the covered entity offers individuals to limit or prohibit the collection and disclosure of covered information;
11. The means by and the extent to which individuals may obtain access to covered information that has been collected by the covered entity;
12. A means by which an individual may contact the covered entity with any inquiries or complaints regarding the covered entity’s handling of covered information;
13. The process by which the covered entity notifies individuals of material changes to its privacy notice;
14. A hyperlink to or a listing of the FTC's online consumer complaint form or the toll-free telephone number for the FTC's Consumer Response Center; and
15. The effective date of the privacy notice.

This goes far beyond the content requirements of California's Online Privacy Protection Act.

• Are there any exceptions to these notice requirements?

Yes. The notice requirements would not apply to covered information that (1)  is collected by any means that does not utilize the Internet and (2)  (a)  is collected for a "transactional purpose" or an "operational purpose" or (b)  consists solely of a first name or initial and last name, a postal address, a telephone or fax number, and/or an email address, and is part of a "first party transaction."

• What is a "transactional purpose"?

A "transactional purpose" is a purpose necessary for effecting, administering, or enforcing a transaction between a covered entity and an individual.

• What is an "operational purpose"?

An "operational purpose" is a purpose reasonably necessary for the operation of the covered entity, including (i) providing, operating, or improving a product or service used, requested, or authorized by an individual; (ii) detecting, preventing, or acting against actual or reasonably suspected threats to the covered entity’s product or service, including security attacks, unauthorized transactions, and fraud; (iii) analyzing data related to use of the product or service for purposes of optimizing or improving the covered entity’s products, services, or operations; (iv) carrying out an employment relationship with an individual; (v) disclosing covered information based on a good faith belief that such disclosure is necessary to comply with a Federal, State, or local law, rule, or other applicable legal requirement, including disclosures pursuant to a court order, subpoena, summons, or other properly executed compulsory process; and (vi) disclosing covered information to a parent company of, controlled subsidiary of, or affiliate of the covered entity, or other covered entity under common control with the covered entity where the parent, subsidiary, affiliate, or other covered entity operates under a common or substantially similar set of internal policies and procedures as the covered entity, and the policies and procedures include adherence to the covered entity’s privacy policies as set forth in its privacy notice.  However, "operational purpose" does not include the use of covered information for marketing, advertising, or sales purposes, or any use of or disclosure of covered information to an unaffiliated party for such purposes.

• What is a "first party transaction"?

A "first party transaction" is an interaction between an entity that collects covered information when an individual visits that entity’s website or place of business and the individual from whom covered information is collected.

• Do the consent requirements call for opt-in or opt-out consent?

It depends. 

Opt-out consent is enough in many circumstances.  Under the Bill, a covered entity is deemed to have the consent of an individual for the collection and use of covered information relating to that individual if the covered entity has provided to the individual a clear statement containing the information described above and informing the individual that he or she has the right to decline consent to such collection and use, and the individual either affirmatively grants consent for such collection and use or does not decline consent at the time such statement is presented to the individual.  (However, if an individual declines consent at any time subsequent to the initial collection of covered information, the covered entity may not collect covered information from the individual or use covered information previously collected.)  Alternatively, a covered entity may comply by enabling an individual to decline consent for the collection and use only of particular covered information, provided the individual has been given the opportunity to decline consent for the collection and use of all covered information.

However, some situations require opt-in consent:

1. A covered entity must provide the notice described above and obtain the express affirmative consent of the individual prior to making a material change in privacy practices governing previously collected covered information from that individual or disclosing covered information for a purpose not previously disclosed to the individual and which the individual, acting reasonably under the circumstances, would not expect based on the covered entity’s prior privacy notice.  This would codify existing law that a company may not unilaterally alter its privacy policy and use previously collected data in a manner that materially differs from the terms under which the data was originally collected. See In the Matter of Gateway Learning Corp., FTC Docket No. C-4120 (Sept. 10, 2004).
    
2. A covered entity is prohibited from selling, sharing, or otherwise disclosing covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates.  This would represent a fundamental change in existing US privacy law, except in particular narrow sectors.  Further, a covered entity that has obtained express affirmative consent from an individual must provide the individual with the opportunity, without charge, to withdraw such consent at any time thereafter.
    
3. A covered entity is prohibited from collecting or disclosing sensitive information from or about an individual for any purpose unless the covered entity makes available to such individual the privacy notice described above prior to the collection of any sensitive information and obtains the express affirmative consent of the individual to whom the sensitive information relates prior to collecting or disclosing such sensitive information.  ["Sensitive information" is any information that is associated with covered information of an individual and relates to that individual’s (A) medical records, including medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; (B) race or ethnicity; (C) religious beliefs; (D) sexual orientation; (E) financial records and other financial information associated with a financial account, including balances and other financial information; or (F) precise geolocation information.]  This would also be a significant shift in US privacy law, bringing the US much closer to existing stringent privacy protections in the EU.
    
4. A covered entity is prohibited from collecting or disclosing covered information about all or substantially all of an individual’s online activity, including across websites, for any purpose unless such covered entity makes available to such individual the privacy notice described above prior to the collection of the covered information about all or substantially all of the individual’s online activity and obtains the express affirmative consent of the individual to whom the covered information relates prior to collecting or disclosing such covered information.
    
5. With certain limited exceptions, any provider of a product or service that uses location-based information would be prohibited from disclosing such location based information concerning the user of such product or service without that user’s express opt-in consent.

• Are there any exceptions from these consent requirements?

Yes, but only with respect to the opt-out consent requirements and the opt-in consent requirements under (1) and (2) above.  There are no exceptions to the opt-in requirements under (3), (4) and (5) above.

The opt-out requirements and the Gateway-type opt-in requirements described in (1) above do not apply to the collection, use, or disclosure of covered information for a transactional purpose or an operational purpose.

The opt-in requirements described in (2) above do not apply to the disclosure of covered information by a covered entity to a service provider for purposes of executing a first party transaction if (A) the covered entity has obtained consent for the collection of covered information (opt-out and/or Gateway-type opt-in consent described above); and (B) the service provider agrees to use such covered information solely for the purpose of providing an agreed-upon service to a covered entity and not to disclose the covered information to any other person.   [A "service provider" is an entity that collects, maintains, processes, stores, or otherwise handles covered information on behalf of a covered entity, including, for the purposes of serving as a data processing center, providing customer support, serving advertisements to the website of the covered entity, maintaining the covered entity’s records, or performing other administrative support functions for the covered entity.]

In addition, notwithstanding (2) above, a covered entity may collect, use, and disclose covered information if (1) the covered entity provides individuals with the ability to opt out of the collection, use, and disclosure of covered information by the covered entity using a readily accessible opt-out mechanism whereby the opt-out choice of the individual is preserved and protected from incidental or accidental deletion, including by (A) website interactions on the covered entity’s website or a website where the preference profile is being used; (B) a toll-free phone number; or (C) letter to an address provided by the covered entity; (2) the covered entity deletes or renders anonymous any covered information not later than 24 months after the date the covered information is first collected; (3) the covered entity includes the placement of a symbol or seal in a prominent location on the website of the covered entity and on or near any advertisements delivered by the covered entity based on the preference profile of an individual that enables an individual to connect to additional information that (A) describes the practices used by the covered entity or by an advertisement network in which the covered entity participates to create a preference profile and that led to the delivery of the advertisement using an individual’s preference profile, including the information, categories of information, or list of preferences associated with the individual that may have led to the delivery of the advertisement to that individual; and (B) allows individuals to review and modify, or completely opt out of having, a preference profile created and maintained by a covered entity or by an advertisement network in which the covered entity participates; and (4) an advertisement network to which a covered entity discloses covered information does not disclose such covered information to any other entity without the express affirmative consent of the individual to whom the covered information relates.  [An "advertisement network" is an entity that provides advertisements to participating websites on the basis of individuals’ activity across some or all of those websites.]

• Are there any other exemptions under the Bill?

Yes.  The Bill explicitly provides that nothing therein shall prohibit a covered entity from collecting or disclosing aggregate information or covered information that has been rendered anonymous.

• What is "aggregate information"?

"Aggregate information" is data that relates to a group or category of services or individuals, from which all information identifying an individual has been removed.

• What does "render anonymous" mean?

"Render anonymous" means to remove or obscure covered information such that the remaining information does not identify, and there is no reasonable basis to believe that the information can be used to identify the specific individual to whom such covered information relates or a computer or device owned or used by a particular user.

• Does the Boucher Bill include any data security requirements?

Yes.  A covered entity or service provider that collects covered information about an individual for any purpose must establish, implement, and maintain appropriate administrative, technical, and physical safeguards that the FTC determines are necessary to (A) ensure the security, integrity, and confidentiality of such information; (B) protect against anticipated threats or hazards to the security or integrity of such information; (C) protect against unauthorized access to and loss, misuse, alteration, or destruction of, such information; and (D) in the event of a security breach, determine the scope of the breach, make every reasonable attempt to prevent further unauthorized access to the affected covered information, and restore reasonable integrity to the affected covered information.  The Bill would therefore extend certain GLBA- and HIPAA-like protections to non-financial and non-health care sectors.

The Bill anticipates that the FTC will develop standards to carry out this section and, in doing so, will consider the size and complexity of a covered entity, the nature and scope of the activities of a covered entity, the sensitivity of the covered information, the current state of the art in administrative, technical, and physical safeguards for protecting information, and the cost of implementing such safeguards. 

The Bill prohibits the FTC, in promulgating rules pursuant to the Bill, from requiring the deployment or use of any specific products or technologies, including any specific computer software or hardware. Thus, the Bill seeks to make any security requirements technology-neutral (similar to the Massachusetts data security regulations and other state data security laws).

• Does the Boucher Bill say anything about data integrity?

Not exactly.  The Boucher Bill addresses data "accuracy," requiring in very general terms that a covered entity "establish reasonable procedures to assure the accuracy of the covered information it collects."

• Who would enforce the Boucher Bill?

Not surprisingly, the Bill gives the FTC enforcement power and would make a violation an unfair and deceptive act or practice in violation of the FTC Act.

The Boucher Bill also gives State attorneys general the power to bring a civil action seeking injunctive relief and/or damages.

The Bill explicitly states that it does not provide any private right of action.

• Would the Boucher Bill preempt state law?

Yes, the Bill would preempt many state laws.  The Bill would supersede any provision of a statute, regulation, or rule of a State or political subdivision of a State, that includes requirements for the collection, use, or disclosure of covered information. 

The Bill would have no effect on GLBA, HIPAA, COPPA, the CAN-SPAM Act, certain other federal laws, or the FTC's authority pursuant to other laws.