Untitled Page
|
Entries tagged with "data privacy" |
| | FTC Deadline for Commenting on Behavioral Advertising Guidelines Extended Until April 11 |  Businesses that use behavioral marketing and advertising techniques may consider reviewing and commenting on the Federal Trade Commission’s (“FTC”) proposed guidelines. The guidelines are designed to provide consumers with more visibility into the behavioral advertising process, which the FTC recognizes can be very valuable.
The FTC’s guidelines are designed to address four primary concerns:
- greater transparency and consumer control;
- the need to prevent criminals from accessing data collected for behavioral advertising;
- ensuring that companies keep their privacy promises when changing their privacy policies;
- the collection of sensitive data, like medical records or children’s activities, for behavioral advertising.
According to the FTC, businesses could use the guidelines as a tool for self regulation. The FTC has extended the deadline for commenting on the guidelines until April 11. For the complete text of the proposed guidelines, visit Ferderal Trade Commission. |  | Tags: data privacy | | |
| | Data Brokers Settle with FTC |  Data brokers Reed Elsevier and Seisint have agreed to conduct biennial audits of its data protection procedures for 20 years as part of a settlement with the FTC. Businesses that find themselves under the FTC's scrutiny and choose to settle data privacy allegations may have to eventually assume the expense of conducting costly audits for as long as 20 years.
Reed Elsevier, via its LexisNexis data broker business, and Seisint gather information about millions of consumers, including names, current and prior addresses, dates of birth, drivers’ license numbers and Social Security Numbers. The companies relied on user IDs and passwords to control customer access to consumer information in their databases.
The FTC alleged that Reed Elsevier and Seisint failed, among other things, to:
- Make Seisint user credentials hard to guess;
- Suspend credentials after a certain number unsuccessful log-in attempts;
- Require Seisint customers to encrypt or protect credentials, search queries or search results in transit between customer computers and Seisint Web sites;
- Verify that new user credentials were created by customers rather than identity thieves;
- Prevent users from sharing credentials;
- Adequately assess the vulnerability of Seisint’s Web applications and computer network to commonly known attacks; and
- Implement simple, low-cost, and readily available defenses to such attacks.
Identity thieves allegedly exploited these security failures and obtained access to the sensitive information of at least 316,000 consumers from Accurint databases. The identity thieves used the information to create and activate new credit cards with which they made fraudulent purchases. Reed Elsevier acquired Seisint in late 2004, and the breaches continued for at least nine months afterward, during which time Reed Elsevier controlled Seisint’s practices.
For the next 20 years, auditors will be required to certify that the companies’ security programs meet or exceed the requirements of the FTC’s orders and are operating with sufficient effectiveness to provide reasonable assurance that the security of consumers’ personal information is being protected. The Reed Elsevier and Seisint settlements also contain bookkeeping and record keeping provisions to allow the FTC to monitor compliance with its orders.
View the compliant here.
View the settlement agreement here.
| | Tags: data broker data privacy | | |
| | Privacy and Data Security Act of 2007 |  Since February 2005, approximately 100 million records containing personal information have been subject to a security breach. More than 30 states have considered and adopted security and privacy legislation requiring businesses to notify consumers if a breach in security results in the possibility of identity theft. The state provisions are not uniform, and are often difficult to reconcile. Companies experiencing security breaches involving customers in many states may be confused regarding their breach notification obligations.
After high-profile security incidents were reported by DSW, TJ Maxx Stores, and many governmental entities, federal legislators escalated the priority of proposed privacy and security regulations in an effort to make the security breach notification laws more uniform. One proposed bill, the Personal Data Privacy and Security Act of 2007, proposed by Senators Leahy and Specter, requires entities that maintain personal data to give notice to both individuals and law enforcement officials when they experience a breach involving sensitive personal information.
Unless Congress enacts a federal law that preempts state privacy breach notification statutes, businesses will continue to be impacted by the many disparate requirements in the numerous state breach notification laws. Because the penalties for non-compliance can be severe and the costs for over-reporting can be significant, I advise businesses to consult with experienced counsel in the event of a security incident. | | Tags: Privacy Notice breach notification data breach data privacy data security breach privacy | | |
| | Recent Federal Government Data Breaches | Private businesses are not the only victims of theft relating to confidential information. In the largest security breach on record involving Social Security numbers, a U.S. Department of Veteran’s Affairs employee violated agency policy and took a laptop containing the sensitive personal information of 26.5 million veterans discharged after 1975. Burglars stole the laptop from the employee’s home. The information stolen included names, Social Security numbers, disability ratings, spouses, and dates of birth. In June, veterans filed class-action lawsuits seeking $1,000.00 for each of the 26.5 million people listed in the missing database files.
The Transportation Security Administration acknowledged that it recently lost a hard drive containing 100,000 archived employee records. The TSA purchased credit monitoring services for employees whose data was involved in the breach.
On a smaller scale, two Federal Trade Commission laptops disappeared from a locked trunk. The FTC attorneys were working on a case, and were authorized to have the laptops. The information on the laptops included the names, addresses, Social Security numbers, financial account information, and dates of birth for persons the FTC had investigated. The laptops did not contain any information about FTC employees or government officials. Ironically, the laptops contained sensitive personal information for defendants that had been investigated for stealing other people’s identities. The FTC offered free credit monitoring for 110 people as a result of the theft. | | Tags: data breach data privacy data security breach privacy | | |
| | ValueClick agrees to Settle with FTC for $2.9 Million | In a record settlement, ValueClick recently agreed to pay the Federal Trade Commission (“FTC”) $2.9 million to settle claims that ValueClick violated federal law and used deceptive advertising. The FTC alleged that ValueClick failed to protect consumer information and misled consumers with advertising that did not clearly disclose the cost of products.
ValueClick, through its wholly owned subsidiary, E-Babylon, sold printer ink and printer accessories through a variety of websites that utilized an on-line credit and debit card payment processing system. Consumers purchasing products on these websites were required to provide personal information including name, address, phone number, credit card number, and credit card expiration date. The website also required consumers to provide the three-digit credit card verification code ("CVV2 code") printed on the back of credit cards. CVV2 codes are particularly sensitive because they are intended to protect consumers against fraudulent internet and telephone purchases in which a sales associate can not physically verify that the card belongs to the card-holder. If stolen, possession of the CVV2 code in conjunction with the consumer's personal information would make it easy for information thieves to make fraudulent purchases with stolen information.
The FTC also alleged that ValueClick and its subsidiaries distributed or caused to be distributed privacy policies that claimed to protect consumers' personal information by encrypting data collected for the purpose of delivering products and services to consumers. The privacy policies claimed to use "industry standard" security measures to protect consumers' personal information. ValueClick and its subsidiaries used either no or limited encryption in its database systems. One of the defendant's systems used a simple alphabetic substitution system that was not consistent with industry standards.
Furthermore, the E-Babylon sites were subject to Structured Query Language (SQL) injection attacks. In SQL injection attacks, the attacker manipulates the address in the internet browser's address bar to gain access to information in the database supporting the website. These databases contained consumers' personal information and credit card information. The FTC alleged that SQL attacks were a well-known and well-publicized form of hacking and that solutions were both available and inexpensive.
In addition to the monetary penalties, ValueClick agreed to clearly disclose in its ads and web pages that consumers must spend money to qualify for “free” merchandise. Additionally, ValueClick and its subsidiaries must refrain from making misrepresentations about the use of encryption to protect consumers’ data. Finally, ValueClick agreed to independent third-party assessments of its programs for 20 years. | | Tags: data privacy | | |
| | New Jersey Court Determines Internet Users Have a Constitutional Right to Privacy | The Supreme Court of New Jersey recently became one of the first courts in the nation to determine that Internet users have a Constitutional right to privacy under Article I of the New Jersey Constitution. Because of the ruling, a grand jury warrant will be required before law enforcement officials can access personal information about the Internet users.
The Court considered the issue after Shirley Reid was charged with second-degree theft for allegedly hacking into her employer’s computer system from her home computer. When her employer asked Comcast for the identity of the person who accessed the employer’s computer network, Comcast refused to do so without a subpoena. Investigators then obtained a municipal court subpoena and served it on Comcast. Comcast complied with the subpoena and identified Reid as the person who accessed the employer’s network.
A New Jersey superior court suppressed the evidence based on the fact that investigators did not obtain a grand jury subpoena. A state appellate court agreed, and the Cape May County Prosecutor’s Office appealed to the New Jersey Supreme Court, which unanimously upheld the decision. The Prosecutor’s Office has indicated that it intends to continue pursuing the case by requesting the appropriate grand jury subpoena.
Although the United States Supreme Court concluded that there is no federal Constitutional right to privacy on the Internet, the New Jersey law will take precedent in New Jersey cases involving Internet privacy.
| | Tags: data privacy | | |
| | Drafting and Defending Privacy Policies and Incident Response Plans | Because the requirements for businesses that collect personal information about consumers can be stringent, it is critical to know which standards apply. Regardless of which regulations govern an organization, it is imperative that the organization have a comprehensive privacy policy that satisfies the requirements for the applicable industry and geographic location(s).
Every privacy policy should contain a clear and concise statement of what personal information the organization collects, whether the company discloses the information to third-parties, and if so, under what circumstances, a list of the safeguards employed to protect the information, and a discussion of any opt-out provisions required.
Your company can face potential liability if your privacy policy does not reflect your actual privacy practices. Claims and remedies based on privacy policies can include:
- Investigations by appropriate regulatory authorities.
- Orders prohibiting further misrepresentations.
- Orders requiring an independent, periodic analysis certifying that the company has a comprehensive information security program.
- Claims based on negligence for failing to follow enumerated policies.
- Civil fines.
- Officer and director liability.
It is vital that companies use customized privacy policies prepared after carefully considering their ability to deliver on their promises. For that reason, it is not advisable to copy policies from the internet, or promise more than is legally required. | | Tags: data privacy information security | | |
|
|
|