Vicarious liability may be used to state a claim under the FACTA provision prohibiting a retailer from printing a credit card expiration date on a receipt. See Keith v. Back Yard Burgers of Nebraska, Inc., No. 8:11-CV-135 (D. Neb. Apr. 13, 2012). According to the court, only one other unreported decision had addressed a franchisor's vicarious liability under FACTA.
This is significant because in the past, platforms have utilized federal laws such as CAN-SPAM, which prohibits sending misleading electronic communications, to punish the most egregious spammers. If Twitter prevails in this lawsuit, it puts all users on notice that there is monetary liability for breaching a platform's TOS, which significantly expands the ability of a social media company to reign in prohibited activity by users.
We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate. This blogpost post looks at two online banking breach cases to examine what courts are saying about authentication and commercially reasonable security.
Two online marketers of acai berry products recently settled the FTC's charges that the marketers engaged in deceptive practices by operating "fake news" sites directly and through affiliates to promote acai berry products. Although these cases are extreme examples of deceptive practices, they should serve as an important reminder for companies engaging in affiliate marketing that the FTC actively enforces in this area using the FTC Act, and that companies marketing through affiliates and affiliate marketers must understand and address the FTC's Guides Concerning the Use of Endorsements and Testimonials in Advertising, which were updated in 2009 ("Guides"). As discussed further below, this can pose a challenge for companies of all types advertising through affiliate marketing programs
Employees are increasingly using (and demanding to use) their personal devices to store and process their employer's data, and connect to their networks. This "Bring Your Own Device" trend is in full swing, whether companies like it or not. Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable.Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including "reasonable" BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.
Earlier today the Federal Trade Commission issued its long-awaited final report "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" focusing on three primary principles: 1) Privacy by Design; 2) Simplified Choice for Businesses and Consumers; and 3) Greater Transparency. The vote approving the report was 3-1. Commissioner J. Thomas Rosch dissented from the issuance of the Final Privacy Report.
Nowadays, a news story on privacy is out of place if it doesn't mention Do-Not-Track (known as "DNT") or Big Data. While these hot topics represent key concerns for privacy professionals, advocates and regulators, there is no clear agreement on what they mean or how to address the privacy issues they raise. In this post, we consider recent developments on these topics, including how the Federal Trade Commission has sought to focus on and connect these new issues.DNT or DNC DNT is in the midst of a multi-faceted identity crisis, starting with a disagreement over the definition of DNT. Self-regulatory organizations and the advertising industry assert that DNT stands for "Do Not Target," referring to the use of consumer data for the purposes of targeted advertising. The FTC, buoyed by privacy advocates, appears to take the view that DNT means not only "Do Not Target" but also "Do Not Collect" (DNC). FTC Commissioner Brill elaborated at the 2012 IAPP Summit that she doesn't view the current DNT efforts as entirely sufficient because the choice DNT offers does not give consumers appropriate protection against what Brill characterized as "limitless, unmitigated" data collection. But Brill does not argue for wholesale implementation of DNC, and has indicated that the details of the implementation of DNT/DNC will continue to remain a key focus for the FTC.
Yesterday the National Institute of Standards and Technology (NIST) released the 4th revision of its "Security and Privacy Controls for Federal Information Systems and Organizations." Despite the long title it will ultimately be a mainstay reference for federal agencies required to comply with provisions of the Federal Information Security Management Act (FISMA) and FIPS 200. As a result it should have a significant affect on cloud security practices effecting commercial non-governmental cloud usage.
Google's new privacy policy (and its plans to create user profiles across multiple online services) has drawn fire from European data protection authorities. Online and mobile retailers and service providers should take account of a renewed emphasis on transparency and proportionality in collecting data about users.
What happened in the privacy world last week? On Thursday, just before the release of the White House Paper, California Attorney General Kamala Harris announced an agreement with the leading operators of mobile application platforms to privacy principles designed to bring the mobile app industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy. It might be argued that the White House is now enunciating principles and best practices, and encouraging legislation of principles, that have long been embodied not only as best practice but as actual legislation under California law.