Info Law Group : Technology Lawyers & Attorneys : Information Law Group : Privacy, Security & Intellectual Property Law

The rules grant utilities unfettered use of customer data for regulated utility purposes. However, utilities will generally be permitted to share a customer’s data with third parties only after the customer provides informed consent. Utilities may obtain customer consent under the rules if a customer submits a consent form – which will be prescribed and supplied the PUC – electronically or by postal mail. The PUC granted an exception to the rule which will also allow customers to provide consent in person, provided that the customer produces appropriate identification. Customer consent will have no expiration date. The PUC rejected the Administrative Law Judge’s proposal that consent forms must be notarized, as the commissioners agreed that the notarization process is burdensome and unnecessary for authenticating customer consent. Utilities must also obtain the customer’s consent before using customer data for unregulated services.

The rules permit a utility to disclose customer data to a contracted agent, as long as the agent uses the data solely for the purpose of the contract between the agent and the utility. Several interested parties filed an exception to the rule, asking that contracted agents be granted unlimited secondary use of customer data. The PUC denied the exception, noting that this proposed exception was contrary to the purpose and spirit of the regulations. The regulations will continue to prohibit contracted agents from using customer data for a secondary commercial purpose unrelated to the purpose of the contract without first obtaining the customer’s consent.

While a number of the filed exceptions were denied by the PUC, the commissioners did agree to strike proposed Rule 3032, which would have given customers the option to place a data freeze on their utility account. The data freeze provisions provided customers with an opt-in opportunity to prevent utilities from disclosing customer data to third parties. However, since the proposed rules operate under the basic assumption that customer data will not be disclosed to third parties without customer consent, the commissioners agreed that the Rule 3032 was redundant and unnecessary.

Another notable decision of the PUC was the commissioners’ affirmation of the penalties as set forth in proposed Rule 3036. Interested parties argued that, without a cap on total liability, penalties issued under the Rule would be excessive. However, the PUC denied the exceptions to Rule 3036. Although the Rule provides for penalties that have the potential to be rather large, the PUC indicated that penalties will only apply for “intentional” violations of the rules.

The rules also require utilities to provide annual written notice to customers explaining their privacy and security policies governing access to and disclosure of customer data and aggregated data to third parties. During the hearing, the PUC agreed to allow utilities to deliver this notice to customers electronically. The PUC also agreed to give electric utilities until March 1, 2012 to file their compliance tariffs.

Colorado joins several other states that are seeking to regulate utilities’ use and disclosure of customer data. While some issues remain unresolved after the hearing, PUC staff will be circulating an updated draft of the rules that reflects the PUC’s recent decisions. We will continue to discuss this and other utility-related privacy initiatives on our blog as they develop, so check back often.

According to the complaint, when a user clicks on one of Facebook’s third-party advertisements, Facebook sends a “Referrer Header” to the corresponding advertiser. This header contains the specific webpage address that the user was viewing before clicking on the advertisement, and reveals personally identifiable information to the advertiser such as the user’s name, gender, and picture. The Plaintiffs brought this class action suit on behalf of themselves and all Facebook users in the United States who clicked on a third-party advertisement displayed on Facebook after May 28, 2006.

ECPA Claims

The Plaintiffs alleged violations of the Wiretap Act (which applies to communications in transmission) and the Stored Communications Act (which applies to communications in storage). Both prohibit electronic communication services such as Facebook from divulging the contents of communications to parties other than the “addressee or intended recipient.” According to the complaint, when a Facebook user clicks on a third-party advertisement, the user asks Facebook to send an electronic communication – the Referrer Header - to the advertiser. The Plaintiffs claimed that users do not expect and do not consent to Facebook’s disclosure of all of the contents of those communications (e.g. their personal information) to the advertisers.

The court interpreted these allegations in two ways. Under the first interpretation, a user’s click on an advertisement constitutes a communication from the user to Facebook - the content of the user’s communication to Facebook is a request that Facebook send a subsequent communication to the advertiser. As the communication is sent from the user to Facebook in this scenario, Facebook is the intended recipient of the communication and therefore not liable under ECPA for disclosing the communication to advertisers. Under the second interpretation, a user’s click on an advertisement constitutes a communication from the user to the advertiser; by clicking on an advertisement, a user asks Facebook to pass the communication along to the advertiser. In this scenario, Facebook cannot be liable under ECPA for divulging the communication to the advertiser because the advertiser is the addressee or intended recipient. As such, the court held as a matter of law that the Plaintiffs failed to state a claim for violations of ECPA under either interpretation.

California Consumer Protection - Personal Information is Not Property

The Plaintiffs also sought damages under the UCL. To assert a UCL claim, a plaintiff needs to have “suffered injury in fact and . . . lost money or property as a result of the unfair competition.” The Plaintiffs claimed they lost property – their personally identifiable information – as a result of Facebook’s conduct. The court dismissed the claim, expressly holding that personal information does not constitute property for purposes of the UCL. In addition, the court limited the scope of its prior ruling in Doe 1 v. AOL, LLC , which considered claims under the UCL after AOL inadvertently disclosed sensitive personal information of its users to the public. In contrast to that alleged by the Plaintiffs, AOL’s disclosure of personal information was not something users’ bargained for when they “signed up and paid fees for” AOL’s services. According to the court “a plaintiff who is a consumer of certain services (i.e. who ‘paid fees’ for those services) may state a claim under certain California consumer protection statutes when a company, in violation of its own policies, discloses personal information about its consumers to the public.” Because the Plaintiffs did not pay to use Facebook, the court dismissed the UCL claim with prejudice.

What is Left?

While dim, there is some light at the end of the tunnel for the Plaintiffs in this case. The court rejected Facebook’s argument that the Plaintiffs lacked standing, holding that the Plaintiffs alleged sufficient injury-in-fact to continue the case in federal court. Additionally, the court permitted the Plaintiffs to re-file five of the eight dismissed claims. Yet even with the chance to re-file, actual harm in the privacy litigation context remains a difficult concept for plaintiffs to prove - just recently another privacy-related lawsuit involving flash cookies was dismissed for lack of actual harm. This decision once again demonstrates that plaintiffs attempting to recover damages for privacy violations face an uphill battle. We will keep you updated if and when this case progresses.
 

Ceridian Allegations

The FTC alleged that the privacy and information security representations Ceridian disseminated thought the company’s website were false and misleading and, therefore, constituted unfair or deceptive acts or practices that violated Section 5(a) of the Federal Trade Commission Act. Specifically, the FTC alleged that Ceridian made the following representations regarding the privacy and confidentiality of the personal information the company collected:

Worry-free Safety & Reliability . . . When managing employee health and payroll data, security is paramount with Ceridian. Our comprehensive security program is designed in accordance with ISO 27000 series standards, industry best practices and federal, state and local regulatory requirements.

With respect to its information security measures, the Ceridian stated:

Confidentiality and Privacy: [Ceridian] shall use the same degree of care as it uses to protect its own confidential information of like nature, but no less than a reasonable degree of care, to maintain in confidence the confidential information of the [customer].

The FTC alleged that these statements were false and misleading because Ceridian:

• Stored personal information in clear, readable text;
• Created unnecessary risks to personal information by storing it indefinitely on its network without a business need;
• Did not adequately assess the vulnerability of its web applications and network to commonly known or reasonably foreseeable attacks, such as “Structured Query Language” (“SQL”) injection attacks;
• Did not implement readily available, free or low-cost defenses to such attacks; and
• Failed to employ reasonable measures to detect and prevent unauthorized access to personal information.

The FTC alleged that hackers exploited these vulnerabilities by launching an SQL injection attack on the company's website and web application. The hackers gained access to Ceridian's network and obtained customers' employee data (including bank account numbers, Social Security numbers, and dates of birth). The breach affected the personal information of at least 27,673 individuals.

Lookout Allegations

The FTC alleged similar privacy and security violations by Lookout.  Specifically, the FTC alleged that Lookout made the following representations regarding the security of employee data the company maintained:

Although the data is entered via the web, your data will be encoded and transmitted over secured lines to Lookout Services server. This FTP interface will protect your data from interception, as well as, keep the data secure from unauthorized access.... Our servers are continuously monitoring attempted network attacks on a 24 x 7 basis, using sophisticated
software tools.

The FTC alleged that these representations were false and misleading and violated Section 5(a) of the FTC Act because Lookout:

• Failed to establish or enforce rules sufficient to make user credentials (i.e., user ID and password) hard to guess; for example, the company did not require its customers or employees to use complex passwords to access the product database;
• Failed to require periodic changes of user credentials for customers and employees with access to sensitive personal information;
• Failed to suspend user credentials after a certain number of unsuccessful login attempts;
• Did not adequately assess and address the vulnerability of the company's web application to widely-known security flaws, such as “predictable resource location,” which enables users to easily predict patterns and manipulate the uniform resource locators (“URLs”) to gain access to secure web pages;
• Allowed users to bypass the authentication procedures on Lookout’s website when
  they typed in a specific URL;
• Failed to employ sufficient measures to detect and prevent unauthorized access to
  computer networks, such as by employing an intrusion detection system and
  monitoring system logs; and
• Created an unnecessary risk to personal information by storing passwords used to
  access the product database in clear text.

The FTC alleged that these deficiencies enabled an employee of a Lookout customer to gain
access to the personal information of over 37,000 individuals (including names, addresses, dates of birth and Social Security numbers). The employee obtained a URL for a secure Lookout web page during a webinar for the company's I-9 compliance solution. She subsequently typed that URL into her browser and gained access to employee personal information without having to provide valid user credential. The employee also visited Lookout’s public-facing login web page for the company's product and successfully guessed and entered several different user IDs and passwords, including the user ID “test” and the password “test.” As a result, the employee was able to access the personal information of more than 11,000 individuals. Then, by making minimal and easy-to-guess changes to the URL, the employee gained access to the entire product database, which included the personal information of more than 37,000 individuals. The FTC alleged that because Lookout did not employ an intrusion detection system until October 2009, or adequately monitor system logs until December 2009, it was unknown if other unauthorized persons accessed the personal information in the company's database before that time.

Settlements

The settlement orders bar the misrepresentations, including misleading claims about the privacy, confidentiality, or integrity of any personal information collected from or about consumers (including customers' employees). The FTC also requires the companies to implement a comprehensive information security program and to obtain independent, third party security audits every other year for 20 years. 

The comprehensive security program must contain administrative, technical and physical safeguards appropriate to each company's size and complexity, the nature and scope of its activities, and the sensitivity of the information collected from or about consumers and employees.

Specifically, the consent orders require each company to:

• Designate an employee or employees to coordinate and be accountable for the information security program;
• Identify material internal and external risks to the security, confidentiality and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assess the sufficiency of any safeguards in place to control these risks;
• Design and implement reasonable safeguards to control the risks identified through risk assessment, and regularly test or monitor the effectiveness of the safeguards’ key controls, systems, and procedures;
• Develop and use reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from Ceridian, and require service providers by contract to implement and maintain appropriate safeguards; and
• Evaluate and adjust its information security programs in light of the results of testing and monitoring, any material changes to operations or business arrangements, or any other circumstances that it knows or has reason to know may have a material impact on its information security program.

Lessons Learned

The FTC's enforcement actions against Ceridian and Lookout likely signal a two-fold expansion of the Commission's privacy and data security enforcement activities: to smaller-scale violations and violations affecting employee data. The two actions are not typical for the FTC for several reasons. First, the incidents affected a relatively small number of individuals (with no hard evidence of malicious hacking at Lookout).  In addition, the enforcement actions focused on the personal information of employees rather than consumers. While consumers are the focus of an overwhelming majority of the FTC's privacy and information security enforcement, the FTC has long viewed its Section 5 jurisdiction broadly.  As early as 2000, the FTC took the position that it "has the same jurisdiction in the employment-related data situation as it would generally under Section 5 of the FTC Act … [A]ssuming a case met our existing criteria (unfairness or deception) for a privacy-related enforcement action, we could take action in the employment-related data situation." With Ceridian and Lookout settlements, the FTC seems to want to dispel the notion that it is focused solely on large scale, high profile privacy and information security violations affecting consumers. This is another reason to take a hard look at your company's privacy and information security compliance.

The proposed Data Protection Act governs the use and disclosure of “usage data” in both identifiable and aggregated format. The Act defines “usage data” as information relating to both (i) the amount of electricity consumed at a residence or customer premises; and (ii) the characteristics of that consumption. “Usage data” includes the dates and times when electricity is consumed and information about the appliances and devices that consume the electricity. The Act also provides utility customers with the right to access their usage data.

The Act deems usage data “customer-identifiable” when it is associated with any information that identifies or is uniquely associated with a customer, such as a name, Social Security or taxpayer identification number, street address, telephone number, electric utility account number, meter number or financial account information. Notably, the scope of “identifiable” data is not limited to information about individuals. Rather, the Act defines a “customer” as an individual, a business or a legal entity receiving service from an electric utility.

The Act permits utilities to use customer-identifiable usage data without customer consent for “business purposes” such as (i) the provision of services; (ii) billing; (iii) support of the infrastructure; (iv) the development, enhancement, marketing or provision of energy-related products and services; and (v) the promotion of public policy objectives, including energy efficiency and environmental initiatives.

Pursuant to the Act, a utility may disclose identifiable usage data without customer consent to affiliates and third parties that assist the utility in providing services and carrying out business objectives. The affiliate or third party that receives the usage data must agree in writing that it will maintain the confidentiality of the data and use the data only for the permissible purposes. Customer consent also is not required for disclosures of usage data to comply with legal requirements, in the event of a merger or a sale of assets, or in an emergency.  

The Act also permits utilities to disclose a customer’s usage data to a third party if the customer provides an informed consent to the disclosure. 

The Oklahoma bill is one of the many state-level initiatives that seek to regulate the use and disclosure of personal data that utilities and other entities collect, use and disclose in connection with the Smart Grid. We have written on our blog about the ABA’s effort to catalogue these efforts. Check back often as we continue to discuss Smart Grid-related privacy legislation and other privacy initiatives.
 

The legislation at issue prohibits retailers from asking customers for their personal identification information and recording it during credit card transactions. Section 1747.08(a) provides that "no . . . firm . . . that accepts credit cards for the transaction of business shall . . . [r]equest, or require as a condition to accepting the credit card as payment in full or in part for goods or services, the cardholder to provide personal identification information, which the . . . firm . . . accepting the credit card writes, causes to be written, or otherwise records upon the credit card transaction form or otherwise."  Subdivision (b) defines "personal identification information" as “information concerning the cardholder . . . including, but not limited to, the cardholder's address and telephone number.”

The California Supreme Court reversed the Court of Appeal, holding that the definition means exactly what it says - personal identification information means any "information concerning the cardholder."  The Court cited Webster's, noting that "concerning" is "a broad term meaning “pertaining to; regarding; having relation to; [or] respecting."  The Court rejected the Court of Appeal's reasoning that a zip code pertains to a group of individuals, not a specific individual, finding that the reference to address in the definition of "personal identification information" must also include components of an address. The Court attacked the Court of Appeal's assumption that a complete address and telephone number are not specific to an individual. The Court took the position that interpreting the term "personal identification information" to mean any information of any kind "concerning" a consumer is consistent with the consumer protection goals of the statute.  The Court reasoned:

the legislative history of the Credit Card Act in general, and section 1747.08 in particular, demonstrates the Legislature intended to provide robust consumer protections by prohibiting retailers from soliciting and recording information about the cardholder that is unnecessary to the credit card transaction.

The Court's discussion of "information concerning" reminds me of the boilerplate definitions we litigators always use (and then fight about) in discovery requests and meet and confers.  The litigators out there know what I am talking about:  "for purposes of these document requests, the term 'concerning' means 'discussing, describing, reflecting, containing, commenting, evidencing, constituting, setting forth, considering, pertaining to," and on, and on, and on . . . Such definitions, interpretations, and arguments may be fun for litigators, but in real life no one knows what they really mean and they have no practical application.  If "concerning" can mean anything, it kind of means nothing for purposes of providing practical guidance for reasonable business practices. 

Further, while the Court's reading of the statute might make sense in a vacuum as a matter of plain language statutory interpretation based on the phrase "information concerning," the Court's analysis seems to omit any discussion of the words "personal identification" in the term "personal identification information."  Zip codes may be information "concerning" a person, but they do not personally identify any individual.

Finally, and perhaps most significantly, it is not clear how collection of zip codes, while perhaps unnecessary to credit card transactions, is of any potential harm to the consumer. And that, as the Court notes, is the point of the statute - consumer protection.  The Court does not discuss any potential harm to the consumer from collection of zip codes.  That is not surprising since collection of zip codes does not give rise to any obvious or apparent consumer harm.  

I'm off to speak at the RSA Conference.  Look forward to hearing your thoughts on this one.  Happy weekend to all.

The FTC developed the proposed framework in recognition of increasing advances in technology that allow for rapid data collection and sharing that is often invisible to consumers. The framework is designed to reduce the burdens of protecting online privacy on consumers and businesses. The report is intended to inform policymakers, including Congress, as they develop solutions, policies, and potential laws governing privacy, and guide and motivate industry as it develops more robust and effective best practices and self-regulatory guidelines.

Building on the FTC’s guidance on behavioral advertising, the proposed framework seeks to further expand the scope of protected data beyond the traditional notions of “personally identifiable information.” Specifically, the proposed framework would apply broadly to online and offline commercial entities that collect, maintain, share or otherwise use consumer data that can reasonably be linked to a specific consumer, computer or device.

In developing the proposed privacy framework, the FTC observed that:

•  there is ubiquitous collection and use of consumer data online;

• the distinction between personally identifiable information and anonymous or de-identified information is blurring;

• the increased flow of information, including consumer data, creates significant economic benefits;

• the FTC’s existing “notice-and-choice” model of privacy protection has led to companies publishing privacy policies and notices that are long, legalistic disclosures that consumers usually do not read and do not understand;

• current privacy policies force consumers to bear too much burden in protecting their privacy;

• the FTC’s existing “harm-based model” of privacy protection, while focusing on protecting consumers from specific harm (e.g., physical or economic) has failed to recognize less tangible privacy concerns such as reputational harm or the fear of being monitored;

• both of the FTC’s privacy protection models (“notice-and-choice” and “harm-based”) have failed to keep up with data collection technology, including data collection that is invisible to consumers and website owners;

• industry efforts to address privacy through self-regulation have been “too slow” and have failed to provide adequate and meaningful protection to consumers;

• some companies manage consumer information in an irresponsible and even reckless manner, and many companies do not adequately address consumers’ privacy interests;

• many consumers are not informed about or cognizant of the risks associated with the collection, sharing and other use of their personal information; they lack understanding and ability to make informed choices about the collection and use of their data.

To reduce the burden on consumers and ensure basic privacy protections, the report makes a number of recommendations, which are summarized below.

1.       Privacy by Design

The report recommends that companies adopt a “privacy by design” approach by building privacy protections into their everyday business practices. Such protections include reasonable security for consumer data, limited collection and retention of such data, secure disposal of the data and reasonable procedures to promote data accuracy. Companies also should implement and enforce procedurally sound privacy practices throughout their organizations, including assigning personnel to oversee privacy issues, training employees and conducting privacy reviews for new products and services. The report calls for companies to implement these concepts in a systematic manner, scaled to each company’s business operations, including the amounts and types of data the organization processes. 

2.      Notice

The report calls on companies to improve their privacy policies and notices so that interested parties can compare data practices and choices across companies. For example, to facilitate meaningful choice, the FTC is recommending just-in-time concise notice and choice at the data collection point or before a consumer accepts a product or service. The FTC believes that privacy policies will continue to play an important role in promotion transparency, accountability and competition among companies on privacy issues – but only if the policies are clear, concise and easy to read. The report also recommends consideration of standardized privacy notices that allow consumers to compare information practices of competing companies. Finally, the FTC has reminded organizations that they must provide robust notice regarding material, retroactive changes to data practices and obtain affirmative consent to such changes.

3.      Choice, Including a Do-Not-Track Mechanism

The report calls for companies to provide choices to consumers about companies’ data practices in a simpler, more streamlined manner than has been used in the past. Consumers should be presented with choice about collection and sharing of their data at the time and in the context in which they are making decisions – not after having to read long, complicated disclosures that they often cannot find. The report suggests that, to simplify choice for both consumers and businesses, companies should not have to seek consent for certain commonly accepted practices associated with processing consumers’ transactions, internal business operations (such as improving services), fraud prevention, legal compliance and first-party marketing. Some of these data uses are apparent in the context of the transaction, while others are accepted or necessary for public policy reasons. For data practices that are not commonly accepted or necessary, consumers should be able to make an informed and meaningful choice. The FTC used the report to remind organizations that they must obtain affirmative consent for material, retroactive changes to their data practices.

One method of simplified choice the FTC has recommended is a “Do Not Track” mechanism governing the collection of information about consumer’s Internet activity to deliver targeted advertisements and for other purposes. The FTC has recommended a simple, easy to use choice mechanism for consumers to opt out of the collection of information about their Internet behavior for targeted ads. The FTC believes that a practical solution is technologically feasible and suggests that the most practical method could involve the placement of a persistent setting, similar to a cookie, on the consumer’s browser signaling the consumer’s choices about being tracked and receiving targeted advertising.

4.      Access

The report recommends allowing consumers “reasonable access” to the data that companies maintain about them, particularly for non-consumer facing entities such as data brokers. Because of significant costs associated with access, the report suggests that access should be proportional to both the sensitivity of the data and its intended use.

We note that the data access principle, although novel in the U.S., is a well-established requirement in the European Union and some other jurisdictions that have adopted omnibus data protection regimes. In addition, providing reasonable access to personal data is one of the seven privacy principles mandated by the EU-U.S. and Switzerland-U.S. Safe Harbor programs. Accordingly, many U.S. entities that have certified compliance with the Safe Harbor are already complying with the data access requirement with respect to personal data they receive from Europe.

5.      Privacy Awareness

The FTC has proposed that stakeholders undertake a broad effort to educate consumers about commercial data practices and the choices available to them. The FTC believes that increasing consumers’ understanding of commercial data collection practices will facilitate competition on privacy among companies.

6.      Enforcement

The FTC reiterated its resolve to take action against companies that “cross the line” with consumer data and violate consumers’ privacy – especially when children and teens are involved. The Commission also made clear that consumers’ choices should be respected. The FTC will not tolerate use of technology to circumvent consumer choice.

In issuing the report, the commission posed a series of questions to privacy stakeholders. The deadline for submitting comments to the FTC is January 31, 2011. The questions concern the scope of the companies and data to which the framework should apply; the substantive privacy protections the framework offers; data management procedures; practices that should require meaningful choice; the “do-not-track” proposal; transparency of privacy practices and improvement of privacy notices; data access; and consumer education.

Please check back with us as we address the report in more detail in the coming days.

(a) failed to employ sufficient measures to detect and prevent unauthorized access to computer networks or to conduct security investigations, such as by employing an intrusion detection system and monitoring system logs;

(b) failed to adequately restrict third-party access to its networks, such as by restricting connections to specified IP addresses or granting temporary, limited access;

(c) failed to monitor and filter outbound traffic from its networks to identify and block export of sensitive personal information without authorization;

(d) failed to use readily available security measures to limit access between in-store networks, such as by employing firewalls or isolating the payment card system from the rest of the corporate network; and

(e) failed to use readily available security measures to limit access to its computer networks through wireless access points on the networks.

The card issuing banks have claimed several hundred thousand dollars in fraudulent charges.

Not surprisingly, the FTC alleged these failures to implement "reasonable security" constituted an unfair act or practice in violation of Section 5(a) of the Federal Trade Commission Act, 15 U.S.C § 45(a).

Like many other similar FTC settlements, this one requires that Dave & Buster's establish and maintain a comprehensive information security program and obtain independent audits by a person qualified as a Certified Information System Security Professional (CISSP) or as a Certified Information Systems Auditor (CISA); a person holding Global Information Assurance Certification (GIAC) from the SysAdmin, Audit, Network, Security (SANS) Institute; or a similarly qualified person or organization approved by the Associate Director for Enforcement, Bureau of Consumer Protection, for (1) the first one hundred and eighty (180) days after service of the order for the initial Assessment, and (2) each two (2) year period thereafter for ten (10) years after service of the order. 

Dave & Buster's' comprehensive information security program must include the following, and more:

A. the designation of an employee or employees to coordinate and be accountable for the information security program;

B. the identification of material internal and external risks to the security, confidentiality, and integrity of personal information that could result in the unauthorized disclosure, misuse, loss, alteration, destruction, or other compromise of such information, and assessment of the sufficiency of any safeguards in place to control these risks. At a minimum, this risk assessment should include consideration of risks in each area of relevant operation, including, but not limited to: (1) employee training and management; (2) information systems, including network and software design, information processing, storage, transmission, and disposal; and (3) prevention, detection, and response to attacks, intrusions, or other systems failures;

C. the design and implementation of reasonable safeguards to control the risks identified through risk assessment and regular testing or monitoring of the effectiveness of the safeguards’ key controls, systems, and procedures;

D. the development and use of reasonable steps to select and retain service providers capable of appropriately safeguarding personal information they receive from respondent, and requiring service providers by contract to implement and maintain appropriate safeguards; and

E. the evaluation and adjustment of respondent’s information security program in light of the results of the testing and monitoring required by sub-Part C, any material changes to respondent’s operations or business arrangements, or any other circumstances that respondent knows or has reason to know may have a material impact on the effectiveness of its information security program.

Incidentally, for those of you, like me, who are fascinated (yes, it is true, I admit it) by the many and differing definitions of "Personal Information" out there in this country, you may be interested to note the FTC's definition for purposes of this settlement:

“Personal information” shall mean individually identifiable information from or about an individual consumer including, but not limited to: (a) a first and last name; (b) a home or other physical address, including street name and name of city or town; (c) an email address or other online contact information, such as an instant messaging user identifier or a screen name; (d) a telephone number; (e) a Social Security number; (f) a driver’s license number; (g) a credit card or debit card account number; (h) a persistent identifier, such as a customer number held in “cookie” or processor serial number, that is combined with other available data that identifies an individual consumer; or (i) any information that is combined with any of (a) through (h) above.

We fully expect to see more FTC action in this area.  Stay tuned for settlement number 28.