The report focuses on consistency of disclosures, best practices by service providers and developers, and offers advice to advertising networkers.  None of this is mandated, however, and one question that remains is, are the disclosures enough to satisfy the FTC and other regulatory bodies? 

Merely informing the consumer that their personal data may be exchanged with third parties when consumers want or need the app is tantamount to boiler plate or adhesion contracts.  The consumer is obviously in an inferior bargaining position, and has no means to take exception to the behavior other than not installing the app. This of course presumes that consumer is even aware of how far reaching this data collection is.  From geo-location data to user preferences, this information is being shared to partners and partners of partners.  

Regardless of how the landscape continues to evolve, anyone who develops or offers mobile apps should seek to ensure that their disclosures are at least up to par with respect to the FTC’s best practices.  Another recommendation would be to view a mobile app which you develop as another form of sharing data with third parties and ensure that you follow your own company’s policies as well as specific regulatory requirements for your industry. As an example, regulations for one industry in particular actually require affirmative opt-out provisions for the disclosure of information to third parties. 

Essentially, the laws prohibit employers and universities from asking for social media website credentials from employees or applicants. The laws also prohibit employers and universities from asking employees or applicants to show the employers the content posted to the employee’s or applicant’s social media websites. The law further prohibits employers from retaliating against an employee or applicant that does not comply with a request violating this law.

AB 1844 does contain exceptions to the prohibition on employer access, allowing employers to require or request access to social media sites that are either reasonably believed to be relevant to an investigation of employee misconduct or when necessary to grant the employer access to an employer-issued device. There is not a civil cause of action specified under AB 1844, but under the California Labor Code, the Labor Commissioner is authorized to investigate Labor Code violations.

The laws take effect on January 1, 2013. For those companies operating in California, now is a good time to review your procedures and policies with respect to employees’ social media activities to ensure compliance with the new laws in the new year.

There is, however, some commonality among the state data breach laws. Generally, the laws address the following issues related to data breach notification: 1) timing; 2) civil/criminal penalties; 3) private rights of action; 4) safe harbors; 5) exemptions for law enforcement efforts; and 6) whether materiality of breach should be considered. Unsurprisingly, no one category of issue is addressed in any standardized way among the several states. Even the basic timing requirement for notification varies wildly, from the “no more than 7 business days after investigation concludes” language in the Maine statute to the purposefully vague “without unreasonable delay” language used by a handful of other states. See our State Data Breach Notification Laws chart for a handy resource that highlights the differences between the various state laws

A good, conservative approach when trying to comply to a multitude of statutory frameworks is to model the response to comply with the most restrictive and onerous of the state laws. However, this approach is not practical in all but the most straight-forward of breach events. Instead, careful consideration of the nature of the breach, the number of potentially affected individuals, and the states in which those individuals reside must be made before deciding on any course of action with respect to notification under state breach laws.

DSW sought to offset these costs (which, by the way, are not at all atypically large for a data breach of this size), by making a claim on its insurance policy under an endorsement called “Computer & Funds Transfer Fraud Coverage.” While this endorsement may seem like a no-brainer policy to make a data breach claim under, the language of the policy provided coverage for loss “resulting directly” from theft as a result of computer fraud. Here, however, the insurance provider refused to cover the loss, claiming that any loss sustained did not “result directly” from the hacking event. On appeal, the Sixth Circuit affirmed the lower court’s award in favor of DSW that the insurance provider had breached the contract with DSW when it refused to cover DSW’s claim as the language of the policy was ambiguous, and thus should be construed in a light most favorable to the non-drafting party.

While DSW ultimately prevailed, this case highlights how important it is to have a cyber liability policy in place that is written to specifically cover the costs associated with a data breach event. When forced to rely on non-cyber liability endorsements, the insured may find itself having to engage in legal gymnastics to argue that it is entitled to coverage of associated breach costs. Even for events involving a fraction of the number of users, costs can quickly extend to the 6 figures and beyond. If your company routinely handles sensitive customer information, be sure you and your vendors have cyber liability policies in place to cover the costs related to these unfortunate events.

The Connecticut and Vermont amendments seem to be on the forefront of a legislative trend requiring companies suffering a data breach to provide notice of the breach not only to the affected individuals, but also to state or federal offices, giving those agencies the ability to initiate independent investigations into the circumstances surrounding the breach. Similarly, Senator Pat Toomey’s proposed national breach notification law, the Data Security and Breach Notification Act of 2012, would require businesses to notify the Secret Service or the FBI if the number of affected individuals numbers more than 10,000. Although there is no specific timing requirement for the notice to be provided to the federal agencies, the bill would require covered entities to notify affected individuals “as expeditiously as practicable and without unreasonable delay”—language that is used in over half of the state breach notification laws in effect today.

These additional requirements to notify governmental agencies in the event of a breach may derive from the White House’s Consumer Privacy Bill of Rights, which states that consumers should have the right to have companies held accountable for violations of their rights under the Privacy Bill of Rights. But whatever the reason, companies that store personally identifiable information must have policies and procedures in place to handle the actual data breach event and subsequent notification requirements.

Toomey’s national data security bill joins a long list of proposed national data security legislation that has been introduced in the past 18 months.

On June 26^th, the Office for Civil Rights (OCR), the federal agency that enforces the privacy and security regulations under HIPAA, published the protocol it uses to conduct the audits required by the 2009 HITECH Act. According to OCR, the protocol is designed to analyze the "processes, controls, and policies" of covered entities in an effort to measure compliance under the HIPAA mandate. OCR set out three different areas that will be analyzed under this audit protocol: 1) privacy; 2) security; and 3) breach notification.

• Privacy: includes audit procedures pursuant to notice of privacy practices, right to request privacy protection, protected health information ("PHI") access by individuals, administrative requirements, uses of PHI, amendments to PHI, and disclosures

• Security: includes procedures used to measure administrative, physical, and technical safeguards used to secure PHI

• Breach Notification: procedures for understanding an organizations preparedness to handle a breach event in a manner compliant with the requirements under the law.

The OCR included in its release of the protocol a handy searchable table you can use to find out exactly what kinds of information the auditors will be looking for under any specific requirement. Examples of the information reviewed by the OCR auditors include: review of ePHI handling policies for employees and evaluation of the processes in place to identify critical applications, data, and processing of the data. This webpage is a definite candidate for bookmarking by every HIPAA compliance professional working in the field of PHI security and privacy.

CISPA has been referred to by privacy alarmists as SOPA 2.0 (we all remember SOPA, right?), but such a characterization is lazy. Both bills are similar in that they are ultimately concerned with stopping illegal online activities; however, unlike SOPA, which was ostensibly aimed at stopping illegal downloading of copyrighted content, CISPA is designed to create an information exchange between the government and private industry to share cyber threat intelligence. Few would argue that monitoring and sharing information about attacks and threats of attacks on the networks that underpin our economy is not an important objective. Where CISPA raises privacy concerns is in the details of how the information is to be shared. The bill allows companies full control to determine how much information they share with the government. In the event the government has some information an individual company needs regarding a potential threat, the concern is that the government could use that leverage to require more information from the company than it otherwise would be willing to share.

Privacy advocates’ concerns over the method and breadth of the data sharing has been echoed by the White House in a threat to veto CISPA as currently drafted. As a result, CISPA likely will see some revisions in the Senate, where it will be considered along with Senator Lieberman’s Cybersecurity Act of 2012 and Senator McCain’s SECURE IT bill.

Under Section 13411, any covered entity or business associate is eligible to be audited. For the pilot program, however, only covered entities will be targeted. OCR states that it will use a selection of a broad range of covered entities in order to ensure its auditing protocols are put to the test across a wide variety of scenarios. Specifically, OCR cites "covered individual and organizational providers of health services, health plans of all sizes and functions, and health care clearinghouses" as potential targets for the pilot. According to OCR’s audit protocols, the goal is to complete each audit within 180 days from the date the notification letter is sent.

Even though business associates are excluded from direct consideration for the pilot, it is possible that a target’s business associate could be indirectly implicated in a pilot audit, since the privacy and security rules under HIPAA/HITECH require specific, contractual relationships between covered entities and their business associates. How much a business associate should expect to participate in a covered entity’s audit remains to be seen, but it would not be unreasonable for OCR auditors to request copies of all of the covered entity’s business-associate agreements. Those agreements should include the business associate’s HIPAA compliance policies and procedures.

Though the pilot-program class is small, now may be a good time for HIPAA business associates to revisit their agreements and HIPAA/HITECH compliance policies to be prepared in the event that an important, covered-entity customer is selected for this pilot program.

House representatives have proposed restricting the authority of the government and copyright holders to block access to foreign websites accused of copyright infringement. The provision would require a court ruling prior to any action taken against any allegedly infringing sites. Critics of the similar PROTECT IP Act have argued previously that unilateral action by copyright owners or the government to ban or block websites accused of copyright infringement from advertisements or search engines raises potential First Amendment concerns and other legal implications.

The November hearing should enable critics and supporters to make a case for other, potential revisions to the legislation. If passed, this legislation will directly impact a copyright owner’s remedies in enforcing his or her copyright. Foreign websites hosting copyrighted materials will be most affected.

Copyright owners should be aware of remedies for online copyright infringement and should seek experienced counsel to help navigate the legal implications.

Under the new law, “covered entities” are broadly defined as any organization that handles electronic health records. This expanded definition has the potential to impact many organizations that are not currently “covered entities” under HIPAA, such as SaaS and cloud providers who market to health care organizations. In addition to complying with HIPAA requirements, covered entities are required to provide custom training sessions within 60 days of hire. In addition, the time period for responding to patients’ written request for copies of EHR is reduced from 30 days under HIPAA to 15 days. The new law also includes an explicit ban on selling patient records for profit, and a breach-notification requirement similar to that recently enacted under the Health Information Technology for Economic and Clinical Health Act (HITECH).

In addition to the more stringent regulations, there are harsher civil penalties available under the new law. Depending on the degree of intent exhibited in committing a violation, penalties can range from $1,500 to $1.5M per year for disclosure of PHI. The monetary penalties are in addition to any penalties levied by the federal government under HIPAA/HITECH, and they can also include license revocations.

Although the law will not be effective until September 2012, I recommend taking time this year to revisit your organization’s status under the new law and to determine if your current compliance policies and procedures are sufficient to address any new requirements.

Personal Data Privacy and Security Act – Sen. Leahy

• Preempts state breach notification statutes
• Criminalizes intentionally or willfully concealing a data breach
• Breach notification to be made “without unreasonable delay”

Secure and Fortify Electronics (SAFE) Data Act – Rep. Bono Mack

• Preempts state breach notification statutes
• 48 hour breach notification requirement, in some cases
• Civil penalties available; capped at $5M

Data Security and Breach Notification Act – Sen. Pryor

• Similar form to the SAFE Data Act
• 60 day breach notification requirement
• Includes special rules for “Information Brokers”

Whether any of these become law by the end of this year’s session is not clear. However, the 48-hour breach-notification requirement proposed by Rep. Bono Mack seems to be generally unworkable in practice, making the requirement unlikely to be a component of any enacted law. What is clear, however, is that with recent, highly publicized and scrutinized data breaches at Lockheed Martin and Sony, greater-than-average political will exists in Congress to approve some form of federal data privacy and security legislation this year.

The Do Not Track Me Online bill would require covered entities to comply with the requests of consumers not to track their online movements via tracking cookies and other technologies, and also to provide reports to the agency regarding data-collection methodology and data-sharing activities. The bill also leaves open options for the FTC to modify its rules to include other requirements, specifically including a provision to force covered entities to provide consumers with means to access the consumers online activity data stored by the covered entity.

These regulatory requirements would not apply to companies that: 1) store online activity information on less than 15,000 people; 2) collect online activity information from less than 10,000 consumers in a year; 3) do not collect sensitive information from consumers; and 4) do not use online activity information to analyze online behavior as the company’s primary business. Although this is the preliminary draft and likely will undergo significant changes before it gets to the floor for a vote, the power and reach of the bill lies in the “sensitive information” element to the exclusion above. The bill defines sensitive information as information related to the health, race, religious, sexual orientation, financial accounts, geolocation, or personal identifiers of the consumer, though it allows the FTC room to modify this definition. The FTC could broaden the scope of covered entities to include those that collect other personally identifying information—a move that would increase the rule’s scope to require any company that collects sensitive information, regardless of its size, to be forced to comply with these regulations.

Privacy issues such as those addressed by the Sixth Circuit in Warshak likely will continue to dominate the news in the coming year. As more individuals, companies, and governments communicate and store data in the cloud, both the technological and legal privacy and security of that data will be tested. And as the Warshak case demonstrates, federal statutes drafted decades ago — or even mere years ago —cannot be reasonably be interpreted in light of the current state of online data storage and communication. At its base, the privacy issue in Warshak is no different than traditional forms of private communication, which the Sixth Circuit correctly reasoned. In 1986, however, it was not so simple to draw the analogy between electronically stored communications and regular mail. Legislators are not often elected for their ability to understand how technological changes will effect current legislation.

Legislation aimed at regulating, or otherwise affecting, technological change is almost always going to be outdated shortly after it is passed. This is not necessarily because we do not have bright, technologically savvy legislators drafting these laws. Rather, it likely has more to do with the fact that our brand of democracy results in a government that often is slow to respond. To effectively mitigate privacy and security risks, reliance on the government for protection is not a wise strategy. The best protection will result from carefully considered, contractual provisions that include in the balance of equities the privacy and security risks individuals and organizations face when entering the cloud.

Based on California’s original definition of personally identifying information (PII), for a breach to trigger the Mississippi notification requirement, the leaked PII must include a name along with a social security number or driver’s license or an account number in combination with any required security or access code. In the event of a triggering breach, notification must be made to individuals only, not to government regulators or any credit reporting agencies. However, in cases where the breaching organization reasonably determines that the breach is not likely to result in harm to the affected individuals, the notification requirement is waived. The law also includes a safe harbor for organizations that secure PII by encryption or other technologies rendering the PII “unreadable or unusable.”

Although there are many similarities between Mississippi’s breach requirement and other state breach notification requirements, significant differences exist with respect to acceptable time to notify, criminal and civil penalties, safe harbors and exemptions. For the vast majority of businesses handling personal information, a careful review of PII handling policies as well as an implementation of a breach notification procedure is recommended. For an outline of the major requirements under each state’s breach notification law, please see our State Data Breach Notification Laws chart.

The hackers responsible for stealing credit card data from Dave & Buster’s gained access through an unsecured wireless Internet router, or wireless access point (WAP).  The hackers had sought out businesses with no Internet security password and, after gaining access to the networks, had obtained credit card numbers and customer data in real time as the cards were swiped.

There is a growing trend for the FTC to seek civil damages for lax Internet security in order to encourage businesses to provide additional protective measures for online data, including wireless Internet routers.  In addition to the monetary damages Dave & Buster’s will pay to settle the claim related to this data breach, the company will be required to maintain an information security program and to have its security systems professionally audited semi-annually.

Basic information security guidelines can help to prevent this type of breach.  It is important to secure passwords, to enable firewall protection, and to institute additional, appropriate security safeguards to protect consumer information.  This is especially important when dealing with sensitive financial data.

Network security failures have led to some of the largest breaches of private financial and personal data in 2009.

Heartland Payment Systems reached a settlement with American Express for $3.6 million after a security breach revealed 130 million credit and debit card numbers, affecting nearly 4.2 million people. Several class action lawsuits are currently pending.

• Although Heartland Payment Systems exposed private financial data for American Express customers that resulted in a multi-million dollar settlement, American Express faced its own privacy breach in Phoenix, Arizona. A company employee enabled accomplices to withdraw more than $1 million by supplying PIN numbers, account information, and credit and debit card numbers.
• In 2008, a Countrywide Financial employee copied data onto a flash drive with the intention of selling nearly 2 million customer records. One year later, after Bank of America acquired Countrywide, it discovered a man posing as an Air Force reservist had obtained thousands of account numbers, resulting in a loss of $500,000.
• One of the top security breaches did not result from hacking, but rather the implementation of a skimming device on ATMs. Chase Bank discovered a skimmer had been placed on ATMs, recording the magnetic strip information and taking small amounts of money from customer accounts, totaling nearly $1.8 million.
• RBS Worldpay experienced a similar breach after hackers obtained financial data and cloned ATM cards, stealing nearly $9 million from more than 130 ATMs.
• An unknown source managed to obtain and sell Capitol One Bank’s customer information online. Using counterfeit cards, and customer information, the crime ring collected more than $650,000 from ATMs in Minnesota.
• Accounting departments should carefully scrutinize employee payrolls after PayChoice, a payroll processing company, was alerted that their system had been compromised after customers reported that fake employee names appeared on their payrolls. The extent of financial information is not currently known.
• The Bank of New York Mellon learned that employee information should be protected from hackers and theft. A man used more than 150 identities of bank employees to take $1.1 million. The theft targeted charities, non-profit organizations, and other entities.
• Internet services providers should take heed from the beach at Network Solutions, where a code implanted on the company’s web servers tracked and copied financial information from hosted online stores. Nearly 573,000 credit and debit card accounts were compromised.

Companies should work with counsel and other qualified consultants to take extra precautions to protect web servers and restrict employee access to private personal and financial data to prevent cybercrime.

Pharmacy benefits manager Express Scripts is facing a class-action lawsuit filed by an Express Scripts member who alleges that the company failed to use effective measures to protect the secrecy of its members’ confidential information and that it also failed to give reasonable notice of a security breach potentially affecting millions of those members. The complaint alleges that Express Scripts received an extortion demand in October 2008 indicating that an unauthorized third party had gained access to members’ personal data and that some individual members also had received similar threats. The complaint further alleges that Express Scripts failed, in the months following the breach, to send any notifications to its members other than vague statements posted on its website in November.

Currently, businesses with nation-wide operations face a patchwork quilt of federal and state laws regarding both steps required to safeguard personal data as well as steps to be taken in the event of a breach. With regard specifically to post-breach notifications, 44 states, the District of Columbia, Puerto Rico and the Virgin Islands all have enacted their own legislation requiring notification of security breaches involving personal information. Therefore, for large enterprises such as Express Scripts, which is also  subject to complex federal rules such as HIPAA, data security planning can be a daunting undertaking.

However, businesses choosing or needing to retain potentially sensitive customer information nevertheless must make appropriate plans. The alternative, as Express Scripts may learn, entails negative publicity as a result of the initial breach, compounded by negative publicity as a result of an inadequate response. That kind of reputational damage can be difficult and costly to repair, especially if or when attorney’s fees and civil damages enter the equation.

All businesses, large and small, that handle confidential customer information must consult with knowledgeable counsel to ensure that they are protecting against and prepared for data security breaches.

• Disclosure to the Census Bureau and the Bureau of Labor Statistics;
• Disclosure for routine uses within a U.S. government agency;
• Disclosure when “a record which has sufficient historical or other value to warrant its continued preservation by the United States Government;”
• Disclosure to law enforcement agencies;
• Disclosure to aid in congressional investigations; or
• Disclosure for other administrative purposes.

The penalties for violating the Privacy Act can be harsh. Federal courts can award reasonable attorneys’ fees, litigation costs, and damages. If a court finds that the agency acted willfully or intentionally, the court can award actual damages or the amount of $1,000.00 per person, whichever is greater.

The Computer Matching and Privacy Protection Act of 1988 (Pub. L. No. 100-503) amended the Privacy Act to add several new provisions. These provisions add procedural requirements for agencies to follow when engaging in computer-matching activities; provide matching subjects with opportunities to receive notice and to refute adverse information before having a benefit denied or terminated; and require that agencies engaged in matching activities establish Data Protection Boards to oversee those activities.

Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.

Your company can face potential liability if your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:

• Investigations by appropriate regulatory authorities.
  
• Orders prohibiting further misrepresentations.
  
• Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.
  
• Claims based on negligence for failing to follow enumerated policies.
  
• Civil fines.
  
• Officer and director liability.
  

It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required.

For the most part, all of the new laws follow what is now a fairly familiar pattern for data breach notification requirements. All require that notice of a breach be provided without “unreasonable delay,” but notice may be delayed to accommodate any pending law enforcement investigations. Notice also is not required under any of the new laws when the data that was accessed was encrypted. All of the laws provide for civil penalties for failure to comply.

However, there are a couple of noteworthy differences. West Virginia and Iowa join a minority of states with laws that do not allow for private causes of action for failure to comply with the notification requirements. In addition, the South Carolina, Virginia and West Virginia enactments contain no express exemption for immaterial breaches, though breaches requiring notice generally are defined to include only those where there is a reasonable risk of harm to the person whose data was accessed.

As always, business handling personal information should continue to remain vigilant regarding any new or revised provisions in the data breach notification laws for the jurisdictions in which they conduct business. There have been no major, new developments regarding the enactment of a national data breach notification law, and, at this point, with so many state laws on the books, it is possible that a federal law either will, if passed, provide only supplementary requirements in addition to the state laws or will fail to reach passage altogether. The longer the state regimes remain in place, the less the likelihood of complete federal preemption on the issue.

Therefore, for the foreseeable future, businesses will need to maintain up-to-date notification procedures that are in compliance with the laws of each state where they operate. It remains advisable to consult with counsel in developing procedures that are consistent with business goals and objectives.

 It is perhaps as a result of such low estimated return that some states now are starting to implement tougher standards describing the steps that businesses bust take in order to prevent such breaches from occurring in the first place. Nevada’s law is the first and went into effect on October 1, 2008. Massachusetts is set to follow with a more detailed set of regulations in January, with Michigan and Washington State in the process of considering similar measures.

 The Nevada provision is succinct:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

“Encryption” and “personal information” are defined by reference to other statutes and have meanings similar to those typically used in the notification laws. (See NRS 597.970.)

The effect of the Nevada law is to give a victim of identify theft resulting from data breach a statutory standard of care to enforce against the business that, as a result of negligent (or other) non-compliance with the law, experienced the breach that led to the identify theft in question. Other questions pertaining to the practical implementation of the standard remain, including how to show a causal link between the breach and the ID theft and whether some injury short of ID theft – such as the cost of signing up for credit monitoring – would be support a damages claim sufficient to allow a case to proceed to trial. However, it is clear that companies doing business in Nevada now have a tangible interest in deploying encryption technology to protect the data of customers living in that state.

In Massachusetts, the stakes could be even higher. There, the state’s Office of Consumer Affairs & Business Regulation has adopted regulations, to become effective on January 1, 2009, that provide detailed definitions of the standards businesses must meet in order to bring their data handling technology and protocols into compliance. (See 201 CMR 17.00.) While the Massachusetts regulations’ enabling statute does not create a private cause of action for failure to comply, it does give the state attorney general the authority to file a lawsuit for injunctive relief and, in some cases, civil penalties up to $5,000.00 per violation.

As with the notification laws, there is no unified, federal standard for data handling to pre-empt what may become another medley of state laws for businesses to navigate. If these laws become more commonplace (and it appears that they very well may), it will become even more critical for companies conducting interstate transactions to work closely with counsel in order to ensure their compliance with all applicable data handling standards and safeguards.

The court held that the Act did work to bar all of the plaintiff’s state-law claims, except for one: invasion of privacy, to the extent that the plaintiff’s claim was based on the right of publicity. The court specifically looked to an exception in the Act, which provides: “[n]othing in this section shall be construed to limit or expand any law pertaining to intellectual property.” The court stated that a state-law right of publicity claim arises from a “law pertaining to intellectual property,” and it further held that state-law intellectual property claims are within the scope of the Act’s exception. In so holding, the court expressly disapproved the 9th Circuit’s opinion in Perfect 10, Inc. v. CCBill, LLC, where it held last year that the exception only extended to claims based on violations of federal laws pertaining to intellectual property.

The Friendfinder case may be one to watch for at least two reasons. First, it has the potential to set up a conflict between two federal circuits, which may help lead to or hasten review by the Supreme Court. (A petition for certiorari was denied following the 9th Circuit’s ruling in the CCBill case.) Second, if the trial court’s opinion in Friendfinder prevails, then Internet service providers – especially those operating social networking sites (which now include heavy-hitters such as Facebook and Second Life) – may face the daunting prospect of having to verify the validity of information entered in users’ personal profiles in order to avoid exposure from state-law claims based on violation of a third party’s right of publicity. Such a precedent could mean significant changes to the way such sites operate today.
 

The Supreme Court of New Jersey recently became one of the first courts in the nation to determine that Internet users have a Constitutional right to privacy under Article I of the New Jersey Constitution. Because of the ruling, a grand jury warrant will be required before law enforcement officials can access personal information about the Internet users.

The Court considered the issue after Shirley Reid was charged with second-degree theft for allegedly hacking into her employer’s computer system from her home computer. When her employer asked Comcast for the identity of the person who accessed the employer’s computer network, Comcast refused to do so without a subpoena. Investigators then obtained a municipal court subpoena and served it on Comcast. Comcast complied with the subpoena and identified Reid as the person who accessed the employer’s network.

A New Jersey superior court suppressed the evidence based on the fact that investigators did not obtain a grand jury subpoena. A state appellate court agreed, and the Cape May County Prosecutor’s Office appealed to the New Jersey Supreme Court, which unanimously upheld the decision. The Prosecutor’s Office has indicated that it intends to continue pursuing the case by requesting the appropriate grand jury subpoena.

Although the United States Supreme Court concluded that there is no federal Constitutional right to privacy on the Internet, the New Jersey law will take precedent in New Jersey cases involving Internet privacy. 

The FTC announced on March 4 a settlement with Goal Financial, LLC, a San Diego-based student loan company that allegedly violated information privacy laws. If accepted, the settlement will require Goal Financial to implement a comprehensive information security program and subject itself to independent, third-party audits every two years for 10 years.

Goal Financial provides a variety of loan services and collects personal information from loan applications and other sources. The information includes name, address, telephone number, driver’s license number, Social Security number, date of birth, and income, debt, and employment information in its course of business. The company is therefore a “financial institution” according to the Gramm-Leach-Bliley Act (“GLBA”) and is subject to the GLBA’s Safeguards Rule and Privacy Rule. Goal Financial stores the records in electronic and paper form.

The FTC’s complaint alleges that Goal Financial engaged in a number of practices that, taken together, failed to employ reasonable and appropriate security measures
to protect personal information. Specifically, the complaint alleges that Goal Financial placed at risk the personal information of over 41,000 consumers because it failed to:

(1) assess adequately risks to the information it collected and stored in its paper files and on its computer network;
(2) restrict adequately access to personal information stored in its paper files and on its computer network to authorized employees;
(3) implement a comprehensive information security program, including reasonable policies and procedures in key areas such as the collection, handling, and disposal of personal information;
(4) provide adequate training to employees about handling and protecting personal information and responding to security incidents; and
(5) require third-party service providers by contract to protect the security and confidentiality of personal information.

Goal Financial’s employees allegedly exploited these failures and removed more than 7000 consumer files containing sensitive information without authorization and transferred them to third parties. In 2006, a Goal Financial employee sold to the public computer hard drives containing personal information of approximately 34,000 consumers.

Due to such failures, Goal Financial also violated the Safeguards Rule of the GLBA which requires financial institutions to protect the security, confidentiality, and integrity of customer information be developing a comprehensive written information security program that contains reasonable administrative, technical, and physical safeguards.

Additionally, The Privacy Rule requires financial institutions to provide customers, no later than when a customer relationship arises and annually for the duration of that relationship, “a clear and conspicuous notice that accurately reflects [the financial institution’s] privacy policies and practices” including its security policies and practices. Goal Financial distributed to its customers a privacy policy that contained false or misleading statements regarding the measures implemented to protect its customers’ personal information.

The proposed settlement requires Goal Financial to institute measures to bring it into compliance with the rules stated above and to prevent it from committing future violations.

View the news release http://www.ftc.gov/opa/2008/03/studlend.shtm

View the complaint http://www.ftc.gov/os/caselist/0723013/080304complaint.pdf

View the proposed settlement http://www.ftc.gov/os/caselist/0723013/080304analysis.pdf

Connecticut hired Accenture to develop network systems that would allow it to consolidate payroll, accounting, personnel and other functions. Information related to Connecticut’s employees was contained on a data tape stolen from the car of an Accenture intern working on an unrelated, though similar project for the State of Ohio. (The tape also contained personal information on about 1.3 million Ohio residents.) The intern apparently had been using the Connecticut program as a template for the Ohio project. You can read more about the incident and subsequent lawsuit here and here.

The Accenture case underscores the business necessity of having a thorough data security program that employees actually follow, because breaches can be very costly and weak link in the security chain are prevalent. An effective plan should provide for contingencies affecting sensitive data, especially financial or health information. Plans should also ensure either that all of the business’ employees are aware of the data security policies and procedures, or, better yet, provide for physical, electronic, or procedural barriers to prevent data from being used for any unnecessary or non-business-critical purposes. Companies implementing security plans should consider reducing the risks identified in the Accenture matter by prohibiting interns from having access to sensitive information and restricting the presence of sensitive information on portable devices.

With the increasing number of lawsuits focused on data breach and security incidents, it is crucial that all businesses take steps to develop comprehensive security policies and also to ensure that their assets will be protected in the event that those policies fail.

A recent Government Accountability Office report has provided some interesting new statistics regarding the effects of data breaches on victims. The gist of the report (available here) is helpfully summarized in its title: “Data Breaches are Frequent, but Evidence of Resulting Identity Theft is Limited; However the Full Extent is Unknown.” The GAO found that there have been what would seem to be a distressingly high total number of reported breaches in recent years, including 570 breaches reported in the public media from 2005 to 2006, 788 breaches involving 17 different federal agencies 2003 to 2006, and 225 reported breaches in New York State alone in the ten months from December 2005 to October 2006. However, despite such figures, the number of known cases of identity theft resulting from data breach has been relatively low. As an example, the report states:

“…our review of the 24 largest breaches that appeared in the news media from January 2000 through June 2005 found that 3 breaches appeared to have resulted in fraud on existing accounts, and 1 breach appeared to have resulted in the unauthorized creation of new accounts. For 18 of the breaches, no clear evidence had been uncovered linking them to identity theft; and for the remaining 2, we did not have sufficient information to make a determination.”

However, the report also reminds its audience of the challenge involved in measuring the effects of data breach on victims, since those victims often are unaware that the security of their personally-identifiable information has been compromised and since many criminally-inclined recipients of lost or stolen data often wait for a year or more before attempting to make any use of the information.

The report makes no official recommendations, though it does emphasize the need for Congress, in considering the various potential federal data breach notification bills before it, to weigh the benefit of any such legislation against the cost of compliance, both in terms of the financial impact to business as well as the risk that consumers might begin to disregard breach notices if they become too numerous.

None of this should sound terribly shocking to anyone who follows this issue, although the release of the GAO report likely will make lawmakers feel more justified in taking even more time to make a decision with regard to a federal data breach law. That may be a good thing, to the extent that further deliberations might help Congress to formulate a risk-based approach that is not unnecessarily onerous for the businesses that would have to comply with the statute. However, the longer the issue is left unresolved, the longer those same businesses will be left scratching their heads trying to follow the patchwork quilt of state data breach laws or risking their necks being early adopters of umbrella rules or perceived trends in best practices.

ValueClick, through its wholly owned subsidiary, E-Babylon, sold printer ink and printer accessories through a variety of websites that utilized an on-line credit and debit card payment processing system. Consumers purchasing products on these websites were required to provide personal information including name, address, phone number, credit card number, and credit card expiration date. The website also required consumers to provide the three-digit credit card verification code ("CVV2 code") printed on the back of credit cards. CVV2 codes are particularly sensitive because they are intended to protect consumers against fraudulent internet and telephone purchases in which a sales associate can not physically verify that the card belongs to the card-holder. If stolen, possession of the CVV2 code in conjunction with the consumer's personal information would make it easy for information thieves to make fraudulent purchases with stolen information.

The FTC also alleged that ValueClick and its subsidiaries distributed or caused to be distributed privacy policies that claimed to protect consumers' personal information by encrypting data collected for the purpose of delivering products and services to consumers. The privacy policies claimed to use "industry standard" security measures to protect consumers' personal information. ValueClick and its subsidiaries used either no or limited encryption in its database systems. One of the defendant's systems used a simple alphabetic substitution system that was not consistent with industry standards.

Furthermore, the E-Babylon sites were subject to Structured Query Language (SQL) injection attacks. In SQL injection attacks, the attacker manipulates the address in the internet browser's address bar to gain access to information in the database supporting the website. These databases contained consumers' personal information and credit card information. The FTC alleged that SQL attacks were a well-known and well-publicized form of hacking and that solutions were both available and inexpensive.

In addition to the monetary penalties, ValueClick agreed to clearly disclose in its ads and web pages that consumers must spend money to qualify for “free” merchandise. Additionally, ValueClick and its subsidiaries must refrain from making misrepresentations about the use of encryption to protect consumers’ data. Finally, ValueClick agreed to independent third-party assessments of its programs for 20 years.