Info Law Group

The FTC MySpace Settlement: A Reminder to Say What You Do & Do What You Say

Shannon Harell — Wed, 09 May 2012 15:50:27 -0700

Once again, the Federal Trade Commission (“FTC”) has settled with a social networking platform regarding deceptive and misleading privacy practices. Following settlements with Twitter, Inc. in June 2010, Google, Inc. in March 2011, and Facebook, Inc. in November 2011, on Tuesday, the FTC reached a similar agreement with MySpace LLC (“MySpace”) over its failure to uphold promises made in its privacy policy regarding the collection and dissemination of user information.

MySpace employs a “Friend ID” as a unique personal identifier associated with each MySpace account. The Friend ID can be used to access the user’s basic profile information (e.g. full name) or even more if the user has chosen to make his/her profile available to the public. The MySpace privacy policy promised that it would not share users’ personally identifiable information (“PII”) without first giving the user notice and gaining the user’s consent. The privacy policy further promised that the information used to customize ads would not individually identify users to third parties and would not share non-anonymized browsing activity.

Contrary to what was stated in MySpace’s privacy policy, however, MySpace provided advertisers with the Friend ID, age and gender of users who were viewing pages on MySpace. Dissemination of this information allowed advertisers to use the Friend ID to locate the user’s profile thereby accessing additional user PII, including, in most cases, the user’s full name. Additionally, with the Friend ID and the additional PII that the Friend ID makes available, advertisers could link wider web browsing activity to a specific individual.

The settlement bars MySpace from making future misrepresentations regarding the extent to which it protects users’ personal information, requires it to implement a comprehensive privacy program and requires it to undergo biennial, independent, third party privacy assessments for the next 20 years. Further, the settlement also bars MySpace from misrepresenting “the extent to which it belongs to or complies with any privacy, security or other compliance program, including the U.S.-EU Safe Harbor Framework” as the complaint also alleged that MySpace misrepresented its compliance with this program.

The MySpace settlement serves as a reminder that the FTC is very serious about its enforcement efforts in the privacy realm. And, the key takeaway is clear: a privacy policy is more than just a ‘piece of a paper.’ Privacy policies must clearly state exactly what user information is obtained, stored and shared and companies must live up to the promises made in their privacy policies.

NJ Reverses Course on Minimum Font Rule for Ads

Jamie Rubin — Tue, 01 May 2012 08:07:12 -0700

New Jersey regulators reversed a rule that required any disclaimer text (i.e. “Terms and Conditions apply”) on an advertisement to be “set forth in at least 10-point type.” The New Jersey Division of Consumer Affairs implemented the rule in January, 2012, and afterwards elicited comments from industry advocates. The rule was a change to Section 5 of part 13:45A-9.2 of the Department of Consumer Affairs’ regulation regarding general advertising practices. AT&T, one of the state’s most active advertisers, immediately raised concerns about the rule, noting that 10-point font size might be too large for some ads, or far too small for others. Under the original rule, a billboard and an internet advertisement would have the same font size requirement, leading to what AT&T’s representatives argued was an absurd result.

Agreeing with AT&T, the state regulators decided to strike the original rule and propose a new rule that removes the font size requirement in favor of a “clear and conspicuous” standard. The new language reads as follows: “Disclaimers permitted or required under this section, such as ‘terms and conditions apply’ and ‘quantities limited,’ shall be set forth in a type size and style that is clear and conspicuous relative to the other type sizes and styles used in the advertisement.” Comments on the proposed rule must be submitted by June 15, 2012. The clear and conspicuous standard is a favorite of the Federal Trade Commission (FTC). As advertising lawyers, we are constantly reviewing ads to ensure that disclosures meet the clear and conspicuous standard, which is not an easy task when reviewing online and mobile advertisements. The FTC explains what it thinks clear and conspicuous means in its 12 year old online advertising disclosure guidelines known as Dot Com Disclosures. However, note that those guidelines are under review for possible revision, as much has changed since the guidelines were originally published. We will be at a public workshop the FTC is hosting on May 30th as part of its review process.

Vicarious Liability May Be Used to State a FACTA Claim

Andrew L. Hoffman — Tue, 01 May 2012 07:19:56 -0700

Vicarious liability may be used to state a claim under the FACTA provision prohibiting a retailer from printing a credit card expiration date on a receipt. See Keith v. Back Yard Burgers of Nebraska, Inc., No. 8:11-CV-135 (D. Neb. Apr. 13, 2012). According to the court, only one other unreported decision had addressed a franchisor’s vicarious liability under FACTA. Below, we discuss some considerations for retailers and franchisors arising from this ruling.

In Keith, a franchisee Back Yard Burgers restaurant printed credit and debit card expiration dates on its cash register receipts. The plaintiff sued both the franchisee restaurant and the franchisor for a violation of the Fair and Accurate Credit Transaction Act of 2003 (“FACTA”), 15 U.S.C. § 1681c(g)(1), which prohibits this practice. The plaintiff alleged that the franchisor was vicariously liable because it exercised significant and actual control over the franchisee’s business activities, including point of sale policies and procedures. The franchisor answered and moved for judgment on the pleadings, arguing, in essence, that it had no liability because it was not the entity that accepted Plaintiff’s debit card and handed him a receipt, nor was it vicariously liable for the acts of its franchisee.

The court denied the franchisor’s motion and concluded that vicarious liability is a viable basis to state a claim for a FACTA violation. In so doing, the court relied on an unreported opinion from the Western District of Pennsylvania, which applied common law agency principles to conclude that vicarious liability may exist under FACTA if a franchisor exercises control sufficient to establish a master-servant relationship. See Patterson v. Denny’s Corp., No. 07-1161, 2008 WL 250552, *2 (W.D. Penn. Jan. 30, 2008). Because the Keith order only resolved a motion for judgment for the pleadings, the court was required to read the pleadings in the light most favorable to the plaintiff, and the court therefore denied the franchisor’s motion.

Given that vicarious liability is possible under FACTA under Keith, retailers and franchisors should consider the following:

The law has prohibited retailers from printing expiration dates on receipts since 2003 when FACTA was enacted.
Franchisors should be careful to provide sufficient guidance to their franchisees regarding proper point of sale procedures, but not provide so much oversight that they establish a master-servant relationship with their franchisee. If the proper guidance is followed, it may help prevent lawsuits in the first instance. And if the advice is not followed, a franchisor may have a defense against ultimate liability – even if it cannot eliminate a plaintiff’s claims against it at an early stage in the litigation.
Franchisors may consider including indemnity provisions in their franchise agreements that plainly apply to privacy-related claims, especially ones that arise from guidance that was provided, but not followed. Although an indemnity provision will not prevent a lawsuit, it may provide a franchisor with a valuable counterclaim against its franchisee if the plaintiff ultimately prevails.

Social Media Networks Seek to Control Use of Their Products Through TOS Enforcement

Nihar Shah — Fri, 27 Apr 2012 08:26:30 -0700

Users of social media platforms should take notice of a changing legal strategy by some companies where litigation is pursued or threatened based solely on violation of a site’s Terms of Service (“TOS”). So far, social media companies have only sought to squash undesirable behavior on their platforms from third party commercial entities, such as spammers or those seeking password sharing, but in the future such litigation could be viable against individual users.

In early April, Twitter filed a lawsuit against four entities that the company said were the most prolific spammers on the service. Using software tools, the spammers would auto-generate tweets, replies and follows in order to encourage unsuspecting users to visit illegitimate and often malicious sites. After amassing a high volume of accounts, the spammers would then resell those accounts to websites seeking traffic. While demanding monetary restitution of $700,000, Twitter claims in the suit that the spammers are liable for breach of contract for violating provisions of the TOS that prohibit creating duplicative accounts for the purposes of tweeting misleading links. The accounts are packaged and sold to third parties who then spam users with unwanted links. This breach of contract claim is the sole claim for relief Twitter alleges in the complaint.

This is significant because in the past platforms have utilized federal laws such as CAN-SPAM, which prohibits sending misleading electronic communications, to punish the most egregious spammers. If Twitter prevails in this lawsuit, it puts all users on notice that there is monetary liability for breaching a platform’s TOS, which significantly expands the ability of a social media company to reign in prohibited activity by users.

Facebook has also recently threatened to enforce their TOS as a way to limit undesired behavior by users. In a rebuke to employers who sought prospective employees’ passwords during interviews, the company stated that the Facebook TOS prohibit a user from sharing passwords with any third party, and suggested that the company might take legal action for breach of contract against employers that force a user to violate the TOS by sharing a password.

Moving forward, individual users should be wary of how social media networks enforce their TOS in court, particularly concerning copyright and trademark violations. Currently, under the Digital Millennium Copyright Act, the controlling federal law concerning copyright violations, platforms are not directly liable to copyright holders for the copyright violations committed by social media users, such as when a user uploads a copyrighted video to their personal page. However, some pending litigation would seek to make a platform directly liable for user violations, which may encourage social media companies to shift any monetary damages to the user via a breach of TOS suit. Social media platforms may be signaling to all users, not just malicious entities, that violation of TOS could be treated as vigorously as violation of state and federal law.

The Duty to Authenticate Identity: the Online Banking Breach Lawsuits

David Navetta — Tue, 17 Apr 2012 09:39:42 -0700

This is a reprint of an article I originally wrote for the American Bar Association's SciTech Lawyer magazine. You can read the original HERE. If you are interested in this article and the cross-roads between security, privacy and the law, you should also consider joining the ABA's Information Security Committee (which I Co-Chair).

____________________________________

We have entered an era where our commercial transactions are increasingly being conducted online without any face-to-face interaction, and without the traditional safeguards used to confirm that a party is who they purport to be. The attenuated nature of many online relationships has created an opportunity for criminal elements to steal or spoof online identities and use them for monetary gain. As such, the ability of one party to authenticate the identity of the other party in an online transaction is of key importance.

To counteract this threat, the business community has begun to develop new authentication procedures to enhance the reliability of online identities (so that transacting parties have a higher degree of confidence that the party on the other end of an electronic transaction is who they say they are). At the same time, the law is beginning to recognize a duty to authenticate.

On the authentication side, mechanisms to prevent unauthorized individuals from posing as authorized parties include user names and passwords (i.e. “something you know”), token-based authentication (i.e. “something you have”), biometrics (i.e. “something you are”) and others. Increasingly systems are being devised to confirm the identity of a transacting party based in part on their behavior (i.e. “something you’ve done [or not done]”) A good example is the fraud detection algorithms used by credit card companies to detect anomalous behavior that is or may be indicative of ongoing or future fraudulent credit card use. As discussed further below, this approach is beginning to find its way into the law as well.

On the legal side, several statutory regimes establish rules that seek to enhance the reliability of online identities. This is particularly true in the financial sector, where existing law and recent court decisions regarding online authentication may well establish a trend ultimately applicable to many other types of commercial transactions.

The Federal regulators of the Federal Financial Institutions Examination Council (“FFIEC”) have long been concerned about the authentication of identity in online banking transactions. In 2005 the FFIEC issued a guidance document entitled Authentication in an Internet Banking Environment (“2005 Guidance”). In June 2011, after a series of fraudulent wire transfers from small business accounts facilitated by online identity fraud, the FFEIC issued a supplement to its 2005 Guidance (“2011 FFIEC Supplement”).

Both the 2005 Guidance and 2011 FFIEC Supplement outline recommend security measures that banks can implement to enhance their ability to authenticate the identity of online banking users and prevent fraud. As discussed below, a key feature of both FFIEC guidance documents is the use of “multi-factor authentication.”

In addition, well before the regulatory guidance from the FFIEC, lawmakers in most states adopted Uniform Commercial Code Article 4A (Funds Transfers). Section 202 (Use and Acceptance of Payment Order) of Article 4A establishes a legal mechanism to allocate the risk of loss between a bank and its customer in the event of a fraudulent transfer of funds from the customer’s account. Pursuant to this section, if a bank satisfies certain security requirements, including those directly related to authenticating identification, its customer will be liable for fraudulently transferred funds, even if the transfer was initiated by a criminal hacker. Conversely, if the bank fails to meet such requirements, the bank will bear the risk of such losses.

The 2005 Guidance and UCC 4A-202 set the stage for the recent legal wrangling between banks that provide online access to bank accounts and small businesses who saw millions of dollars evaporate from their banking accounts after criminals stole or spoofed their online banking authentication credentials.

Summary of the Online Banking Breaches and Lawsuits

For the past few years, the media has reported on several stories involving the fraudulent transfer of funds from small business accounts using online banking systems. Many of these security breaches involved a common fact pattern: using various methods (e.g. keystroke loggers, phishing attacks, Zeus botnets) criminal elements would steal online banking credentials from a small business customer and use those credentials to log into the customer’s online banking account and transfer money to the criminal’s account (often overseas in an Eastern European country or a former republic of the Soviet Union). This scheme was very sophisticated and most believe it was being carried out by organized crime.

Of significance, it was often the customer’s weak security or a mistake on the customer’s part that often allowed the criminals to obtain the customer’s online banking identity credentials in the first instance. In some cases, banking customers fell for “phishing attacks” that spoofed the look and feel of a bank’s email template and asked the customer to provide their username and password. In another case (“EMI v. Comerica”) described below, the criminals tricked an individual working for the customer into providing the randomly generated number from the “token” physically possessed by that person – a number that expired within seconds -- and used it to access the online banking site in real-time to initiate dozens of wire transfers.

In many cases the banks refused to reimburse these small business customers for the funds fraudulently transferred from their account . Beyond the monetary considerations, this refusal was likely premised on the fact that it was the conduct of the customers themselves that had allowed their credentials to be stolen. Also, as the risk of this attack appeared serious, banks probably did not want to establish a precedent of just paying these losses. Most importantly, the banks likely believe that the law is on their side in this situation.

Analysis of the Online Banking Breach Lawsuits

Needless to say, these circumstances led to several lawsuits brought by small business customers seeking to recover from the banks. The main allegation in these suits was that the authentication procedures and other security measures employed by the banks did not prevent the fraudulent wire transfers and were not commercially reasonable. Specifically, the customers alleged that the security measures in place to enable the bank to authenticate the identity of the online banking user failed, and were not reasonable under the law. As some of these cases wound their way through State and Federal courts we began to get some decisions providing insight on how courts analyze the concept of “commercially reasonable security” for purposes of authenticating identity.

Focusing on the issue of identity, these lawsuits involved a fairly common set of allegations:

the bank did not utilize multifactor authentication (e.g. something in addition to user name and password, such as “token-based” authentication or “out of band” fax confirmation) to verify the identity of the person initiating the funds transfers;
the bank failed to provide notice to the plaintiffs of unusual or suspicious activity;
the bank’s security measures did not prevent the fraudulent transfers and were not commercially reasonable;
the bank failed to block transfer requests from IP addresses that were different than those typically used by the plaintiff;
the allowable daily transfer limit vastly exceeded the plaintiffs’ average/maximum daily transfers (e.g. in PATCO, the daily maximum limit was $750,000, but the most PATCO ever needed to transfer previously was $36,600);
the funds were transferred to individual accounts to which the plaintiffs had never transferred funds before; and
despite having been informed of unauthorized transactions by the plaintiff, the bank did not close the account in order to prevent more fraudulent transactions (e.g. in EMI, after allowing 45 fraudulent wire transfers to go through, the bank allegedly allowed another 46 to go through even after the plaintiff informed the bank that it had not initiated the initial batch of fraudulent wire transfers).

As the legal basis of liability, both PATCO and EMI focused on section 202(b) of UCC Article 4A, which provides:

If a bank and its customer have agreed that the authenticity of payment orders issued to the bank in the name of the customer as sender will be verified pursuant to a security procedure, a payment order received by the receiving bank is effective as the order of the customer, whether or not authorized, if (i) the security procedure is a commercially reasonable method of providing security against unauthorized payment orders, and (ii) the bank proves that it accepted the payment order in good faith and in compliance with the security procedure and any written agreement or instruction of the customer restricting acceptance of payment orders issued in the name of the customer.

While the plaintiffs attempted to argue that the banks failed to meet all of these requirements, much of the focus was on the issues of “commercially reasonable” security and the good faith requirement. A big factor for analyzing these issues was the 2005 Guidance, and whether the defendant banks initiated “layered security” in the form of behavioral analytics to further authenticate the identity of the online banking customer.

In both PATCO and EMI the court relied on the 2005 Guidance to render its decision.   In that document, the FFIEC summarized its key point concerning authentication in the online banking environment as follows:

The agencies consider single-factor authentication, as the only control mechanism, to be inadequate for high-risk transactions involving access to customer information or the movement of funds to other parties. Financial institutions offering Internet-based products and services to their customers should use effective methods to authenticate the identity of customers using those products and services. The authentication techniques employed by the financial institution should be appropriate to the risks associated with those products and services. Account fraud and identity theft are frequently the result of single-factor (e.g., ID/password) authentication exploitation. Where risk assessments indicate that the use of single-factor authentication is inadequate, financial institutions should implement multifactor authentication, layered security, or other controls reasonably calculated to mitigate those risks.

In PATCO, for the “something you have” authentication factor the bank utilized a “device cookie” placed on the customer’s computer to identify particular computers used to access online banking. If the cookie changed or was newly installed on a different computer, the risk score for the transaction increased, and that potentially resulted in the user being asked a challenge question (e.g. “What is your mother’s maiden name?”). In fact, the bank in PATCO actually set its system up so that a challenge question (which amounts to a “something you know” factor) was asked for every transaction. As such the modification or replacement of the device cookie would have effectively had no impact: to gain access to the online account, the online banking customer would be asked the challenge question in all events anyway.

Despite the fact that the device cookie factor was rendered irrelevant, the court referred to the FFIEC and held that the bank had (at least technically) implemented multi-factor authentication per the 2005 Guidance. In addition, in holding that the bank had implemented commercially reasonable security the court noted that the bank utilized “layered security” (also mentioned in the 2005 Guidance), including some controls that analyzed customer behavior while banking online (discussed below). In its holding the court specifically indicated that the bank’s security was not optimal, but then noted that commercially reasonable security does not require a bank to adopt the best security procedures then available.

In EMI¸ the bank actually utilized “true” multi-factor authentication. In addition to user name and password, the plaintiff in EMI had been provided a physical token that sent a number to the user when he or she logged into the online banking site. That number is only good for 30-60 seconds, so unless the fraudster actually possesses the token, or is able to intercept the number and log-in in real-time, it is not possible to spoof the identity of the banking customer. Unfortunately, through the use of a phishing attack, the fraudsters were able to persuade the plaintiff’s representative to provide his username, password and token number, and logged in immediately upon receiving them. Once establishing a legitimate online banking session, they were able to initiate approximately 97 wire transfers over a six-hour period.

On motion for summary judgment, the EMI court ruled that the bank implemented commercially reasonable security as a matter of law because the plaintiff agreed in its contract with the bank that the bank’s security was commercially reasonable.   However, later at trial, the court ruled that the bank failed to act in good faith concerning its processing and acceptance of the fraudulent wire transfers at issue. According to the court this failure occurred, in large part, because the bank did not implement behavioral analytics to further authenticate the identity of the online banking user after the online banking session began.

The Role of Behavioral Analytics

In both cases the existence (or lack of) security controls related to the plaintiff-customers’ behavior played a role in the court’s ruling. While neither court expressly described it in these terms, each court was effectively analyzing a new factor in authenticating identity – i.e., authentication based on behavior: “what you do [or don’t do].” This approach supplements the three traditional authentication factors (something you know, something you have, and something you are) by analyzing the user’s conduct as an attribute of identity. By comparing the behavior of the current user against the prior behavior of known authorized users, the likelihood of identifying a fraudster posing as an authorized user is increased.

In PATCO, the existence of “layered security,” including many controls tied to behavioral analytics, further supported the court’s finding of commercially reasonable security.   Those controls included customer “risk profiling” that considered factors like the location of the user logging in, when and how often the online banking system was previously used by the customer, the activities the user typically engaged in, the Internet Protocol (IP) address typically used by the customer to log-in, and the size, type, and frequency of payment orders normally issued by the customer. Taking these behavioral factors into account the bank’s system in PATCO would assign a risk to a particular online banking session and if that risk reached certain thresholds the user would be asked to further authenticate his or her identity (in this case through a challenge question).

In contrast, the lack of behavioral analytics was a key factor that led the judge in EMI to rule against the bank at trial. The court identified several behavioral red flags that it believed should have raised the bank’s suspicion. The failure of the bank to take these red flags into account lead the court to rule that the bank had not proved that it acted in good faith to detect and stop the fraudulent wire activity. In particular, the bank failed to compare the fraudsters’ behavior against the prior activities of the plaintiff, including the volume and frequency of the payment orders and the book transfers that enabled the criminal to fund those orders; the plaintiff’s limited prior wire activity; the $5 million overdraft created by those book transfers in what is regularly a zero balance account, and; the destinations and beneficiaries of the funds (to Moscow, Estonia, and China).

2011 FFIEC Regulatory Guidance Supplement and Behavioral Analytics

Shortly after the decisions in EMI and PATCO, the FFIEC released its 2011 Supplement and reinforced the importance of behavioral analytics for confirming identity and detecting potential fraudulent behavior. For example, the 2011 FFIEC Supplement clarifies the concept of customer authentication:

The concept of customer authentication, as described in the 2005 Guidance, is broad. It includes more than the initial authentication of the customer when he/she connects to the financial institution at login. Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein. (emphasis supplied)

Examples of “layered security” in the 2011 FFIEC Supplement as related to enhanced authentication protocols include (in relevant part):

fraud detection and monitoring systems that include consideration of customer history and behavior and enable a timely and effective institution response;
the use of dual customer authorization through different access devices; and
the use of out‐of‐band verification for transactions.

In fact, the 2011 FFIEC Supplement indicates that one of the “minimum” elements that should be part of layered security for online banking are processes designed to detect anomalies and effectively respond to suspicious or anomalous activity related to initial login and authentication as well as initiation of transactions involving the transfer of funds to others. In support of this element, the FFIEC specifically noted that in many cases of online banking fraud, the fraud could have been prevented because the wire transfers being originated by the fraudsters were anomalous when compared with the customer’s established patterns of behavior. In short, the 2011 FFIEC Supplement further supports the contention that behavior should be used as an additional factor for purposes of validating identity, and that legal authorities consider this factor important.

Conclusion

Issues of identity, authentication and reasonable security will surely continue to collide with the law as society transacts more frequently online. As a result, the legal responsibility of parties to establish adequate means to verify the identity of their customers, clients and users is likely to increase. As outlined above we are already seeing this in the online banking context.

What is clear from these cases is that authentication protocols employed by entities need to be adaptive to the particular threats and scams that may arise in the future. The idea of using a customer’s online behavior to further authenticate identity could expand into other contexts such as healthcare, social media activities and other contracting relationships where data is or can be recorded concerning prior behavior.

As we move forward it is likely that legislation or court decisions will mandate legal standards and requirements around authenticating identity, and similar to UCC 4A-202 in the online banking context, allocate risk of loss based on an entity’s compliance (or failure to comply) with such standards. Lawyers working on online transactions would be well-advised to consider the legal risk associated with authenticating identity. As the threats increase, lawyers will be called on not only to litigate these matters after the fact, but also to establish legal and contractual mechanisms for minimizing risk.

Ninth Circuit Narrows Reach of CFAA In En Banc US v Nosal Decision

Richard Santalesa — Fri, 13 Apr 2012 14:22:25 -0700

The legal and online arenas have been abuzz the last several days in response to the Ninth Circuit's issued en banc opinion in U.S v. Nosal, 2012 WL 1176119 (9th Cir. April 10, 2012), addressing the reach and scope of the oft-litigated and controversial, Computer Fraud and Abuse Act (CFAA), codified at 18 U.S.C. § 1030. The crux of the broader interest in the case has been recent applications of the CFAA criminalizing violations of website terms of use and employer restrictions on employee computer uses, stemming in particular from what the statute’s term “exceeds authorized access” does and does not mean.

What’s the bottomline? What do you need to know about the case’s holding to apply to and recognize in your employee policies, website terms, etc.?

First, the case does not hold in my opinion, as one learned colleague has opined, that “employees are [now] free to steal from [] company computers.” Far from it. After all, as the Court noted Nosal was indicted on “twenty counts, including trade secret theft, [the ever popular count of] mail fraud, [and] conspiracy,” which charges remain pending, in addition to the now dismissed criminal violations of the CFAA. It’s simply not accurate to state the floodgates have opened wide for employees to run riot without penalty through every database, spreadsheet and confidential piece of information their employer has on hand.

Second, the majority’s clear opinion, penned by one of the Ninth’s most colorful judges, Alex Kozinski, applies the rule of lenity to decide between the two possible readings of the applicable language, resulting in a a bright-line boundary – at least for those in the Ninth Circuit – that the CFAA does "not extend to violations of [website and company policy] use restrictions” and that the CFAA’s “exceeds authorized access” requirement is limited to “violations of restrictions on access to information, and not restrictions on its use.”

What’s peaked further attention is that the Ninth Circuit’s en banc opinion re-affirms the district court’s dismissal of the CFAA counts, replacing the previous Ninth Circuit panel’s 2-1 opinion filed nearly a year ago, which reversed the district court’s dismissal of the CFAA counts, and sets up a clear circuit split of those Courts of Appeal to have opined on the issues with the Ninth on one side and the Fifth, Seventh and Eleventh Circuits on the other side, priming the pump for potential resolution by the Supreme Court. Until then, however, the take aways are:

It should not be assumed that violations of employee handbooks, confidentiality agreements and data access restrictions as to “use” of a computer system will rise to the level of a federal crime;
Many other federal and state civil – and criminal – statutes provide adequate remedies in the event employees or others misappropriate company materials;
The CFAA is not a rubber hammer, stretching to fit the head of every nail that a plaintiff or prosecutor wants to hammer; and
Finally, while companies and their attorneys, certainly in Circuits outside of the Ninth will continue to press and make claims that violations of ToU’s and company policies run criminally afoul of the CFAA, they make, in my sole individual opinion expressly not reflective nor representative of the opinions of either my firm or our clients, such claims are typically contrary to the law as generally understood by the populace at large. At such, I believe they do needless violence to the fraying social contract we all abide by, as well as, the increasingly tenuous legal fiction that all of us are charged with constructive knowledge of all laws.

For those needing to “get in, get out and get on” the above capsule should be enough. But for Nosal and CFAA aficionados and fans, of which I’m one, more detailed information and a collection of Nosal-related links discussing the Ninth’s en banc opinion are available below.

Background

It’s a fair bet that you probably go to more interesting parties than I do, but when I’m "putting on the Ritz" I at least like to have the fact of any case I’ll be animatedly discussing nailed down and readily at hand. It’s a strange point of pride. So here's a basic summary of the facts of the Nosal case for your next garden party.

David Nosal was an employee with an executive search firm called Korn/Ferry until he resigned in October 2004. As part of his separation agreement, he apparently agreed to serve as an independent contractor for the company and not work for a competing firm for one year in exchange for two lump-sum payments and 12 monthly payments of $25,000 during that same period. Not a bad gig, and simple enough, right? Well, human nature being what is it Nosal couldn't leave well enough alone and confine himself to sipping sweet adult beverages with little umbrellas in them by the pool for the next year. Instead, during the first few months of the following year he contacted three former coworkers at Korn/Ferry in the hopes of convincing them to join him in starting a competing firm. His machinations worked, but before leaving the company, the internal trio downloaded a large amount of "highly confidential and proprietary" data from Korn/Ferry's computers, including source lists, client data, and contact information.

Fast forward to June 26, 2008 when the four men were indicted by the federal government on 20 various counts, including criminal violations of the CFAA, with the government alleging that they had exceeded their authorized access to Korn/Ferry's computers, "knowingly and with intent to defraud." Nosal moved for dismissal on the grounds that the CFAA was intended to address computer hackers and "does not cover employees who misappropriate information or who violate contractual confidentiality agreements."

Of particular note is the fact that Nosal argued that he had not violated Section 1030(a)(4) of the CFAA, which applies to anyone who "knowingly and with intent to defraud, accesses a protected computer without authorization, or exceeds authorized access, and by means of such conduct furthers the intended fraud and obtains anything of value, unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period." (18 USC § 1030 (a)(4)). It was under this provision that the more serious criminal charges against the four were based– hence the strenuous challenges and appeals since.

Nosal argued in response that because they had accessed the information while working for Korn/Ferry they had actual and express authorization to “access” the information. Hence the CFAA’s provisions didn’t apply regardless of whatever misuse may have followed. On these grounds, Nosal et al. filed a motion to dismiss. The district court initially rejected the argument but nonetheless dismissed the five charges based on Section (a)(4). The government up’d the ante when it filed an interlocutory appeal to the Ninth Circuit on the basis that Nosal’s downloading of Korn/Ferry's data was a violation of Nosal’s applicable workplace computer policies and thus constituted “unauthorized access” under the CFAA.

The Ninth Circuit panel last year centered its 2-1 decision largely on whether or not Nosal and his accomplices had exceeded their authorization to use Korn/Ferry's computers, as neither party disputed that they were authorized to use the computers to some extent. The court therefore relied heavily on earlier Circuit decisions in LVRC Holdings v. Brekka, 518 F.3d 1127 (9th Cir 2009), in which an employee had transferred work documents from his employer's computers to his personal email account and found himself sued by his employer under the CFAA for his efforts. The court's ruling in that case strongly emphasized the difference in Section (a)(4) between "without authorization" and "exceeding authorized access", because if there were no distinction between the two, there would be no need for the latter concept; after all, if both situations were treated in the same way, then there would be no need for two different phrases, and given that a cardinal rule of judicial statutory interpretation is that no language in a statute is superfluous the two clauses must address different situations.

In light of the previous Brekka holding case, the prior Ninth Circuit panel in US v. Nosal held that an employee does "exceeding authorized access" when they use a computer in any way that violates an employer's access restrictions, including any policies governing how information on the computer may be used. The panel elaborated on the distinctions stating "...an individual who is authorized to use a computer for certain purposes but goes beyond those limitations is considered by the CFAA as someone who has 'exceed[ed] authorized access.' On the other hand, a person who uses a computer 'without authorization' has no rights, limited or otherwise, to access the computer in question." United States v. Nosal, 642 F.3d 781 (9th Cir. 2011).

To put the original panel’s holding in stark terms, they held, essentially, that it doesn't technically matter if an employee has broken any existing laws - if the employee used the computer for anything the employer prohibited them from it constituted a violation of the CFAA. The recent en banc opinion by Chief Judge Kozinski makes much of this, providing example after example of potentially probable but unexpected scenarios that, in Judge Konzinski’s words “will earn you a handsome orange jumpsuit.”

The En Banc Opinion

The en banc ruling, of course, as highlighted in brief interprets the CFAA as not reaching violations of terms of use or company computer usage policies as criminal infractions. The concise 22-page opinion is a quick and enlightening read, and I urge you to do so, but in the interest of completeness I should recognize the points raised in dissent by Judge Silverman, joined by Judge Tallman. Essentially the dissent poo-poo’s the majorities parade of horribles, painting the majorities concerns as so many stuffed straw men, and curtly dismissing the majority’s view as:

“This case has nothing to do with playing sudoku, checking email, fibbing on dating sites, or any of the other activities that the majority rightly values. It has everything to do with stealing an employer’s valuable information to set up a competing business with the purloined data, siphoned away from the victim, knowing such access and use were prohibited in the defendants’ employment contracts.”

Perhaps. But the majority's scenarios are all too familiar to virtually every employee that has killed time on his company company with non-company functions. Where the dissent goes somewhat astray, in my opinion, is in stating that “[t]he majority also takes a plainly written statute and parses it in a hyper-complicated way that distorts the obvious intent of Congress.” An objective review of CFAA caselaw clearly shows that the statute is far from "plainly written" given scattered judicial interpretations to date. Admirably in a day and age when mens rea is increasingly and disturbingly falling by the wayside in many criminal statutory applications the dissent notes that the CFAA contains a specific mens rea, and that other Circuits have interpreted the CFAA more expansively than the majority. Finally, the dissent notes that an as-applied challenge would still be available to the targets of the parade of horribles.

As my name isn’t proceeded by the appellation Judge or Justice, my opinions are just that… opinion with no binding or authoritative effect. Still, the majority’s cabining of the CFAA – in the absence of Congressional action – has found favor with many across the blogosphere and netverse.

Want more? Here’s a good collection of links on the case and recent commentary:

The district court ruling: http://scholar.google.com/scholar_case?case=17426102904279126314&q=us+v+nosal&hl=en&as_sdt=2,7&as_vis=1

Original 9th Circuit ruling: http://www.ca9.uscourts.gov/datastore/opinions/2011/04/28/10-10038.pdf ; and Judge Trott's dissent: http://scholar.google.com/scholar_case?case=3965762782958557205&q=us+v+nosal&hl=en&as_sdt=2,7&as_vis=1

http://en.wikipedia.org/wiki/United_States_v._Nosal

http://www.chicagotribune.com/business/sns-rt-us-computerfraud-rulingbre8391bs-20120410,0,6761656.story

http://www.hahnloeser.com/tradesecretlitigator/post/2012/04/11/US-v-Nosal-Ninth-Circuit-Issues-Its-Long-Awaited-Decision-and-Limits-the-Computer-Fraud-and-Abuse-Act-to-Hacking.aspx

https://www.eff.org/press/releases/appeals-court-rules-violating-corporate-policy-not-computer-crime

http://www.fedsocblog.com/blog/ninth_circuit_narrows_reach_of_computer_fraud_law/

http://www.technolog.msnbc.msn.com/technology/technolog/court-facebooking-work-not-federal-crime-even-when-forbidden-710056

http://www.theawl.com/2012/04/the-ninth-circuit-lying-on-social-media-websites-is-common

http://www.businessweek.com/news/2012-04-10/checking-facebook-at-work-isn-t-crime-appeals-court-rules

http://www.examiner.com/business-news-in-los-angeles/going-on-facebook-at-work-is-not-a-crime

http://computerfraud.us/recent-updates/the-9th-circuit-employees-are-free-to-steal-from-the-company-computers

http://volokh.com/2012/04/10/ninth-circuit-hands-down-en-banc-decision-in-united-states-v-nosal-adopting-narrow-interpretation-of-computer-fraud-and-abuse-act/

Acai of Relief? Marketers' Recent Settlement of FTC Charges Serves as a Reminder for Online Advertisers and Affiliate Marketers.

David Navetta — Wed, 04 Apr 2012 17:44:10 -0700

InfoLawGroup Partner Jamie Rubin, and Counsel Andrew L. Hoffman, contributed to this post.

Two online marketers of acai berry products recently settled the FTC’s charges that the marketers engaged in deceptive practices by operating “fake news” sites directly and through affiliates to promote acai berry products. Although these cases are extreme examples of deceptive practices, they should serve as an important reminder for companies engaging in affiliate marketing that the FTC actively enforces in this area using the FTC Act, and that companies marketing through affiliates and affiliate marketers must understand and address the FTC’s Guides Concerning the Use of Endorsements and Testimonials in Advertising, which were updated in 2009 (“Guides”). As discussed further below, this can pose a challenge for companies of all types advertising through affiliate marketing programs.

In the FTC v. IMM Interactive, Inc. case, the FTC alleged that one set of defendants posted purportedly objective investigative reports on websites designed to look like legitimate news websites, using domain names such as channel2local.com, nbsnewsat6.com, and channel9healthbeat.com. The FTC also made similar charges in FTC v. Coulomb Media, Inc., but also alleged that the defendants there maintained websites purporting to be independent consumers’ blogs reporting their experience using the acai products. In both cases, the FTC alleged that the defendants and their affiliates made false and deceptive claims regarding weight loss benefits resulting from the use of their products, when the Defendants did not possess any reasonable basis to substantiate the claims. In the Coulomb case, the FTC also alleged that the defendants failed to disclose in a clear and conspicuous manner that the purported blogs were not objectively evaluating the products.

In addition to monetary payments and agreements not to engage in enumerated deceptive acts, the settlement also requires the IMM Interactive defendants to monitor all its affiliate marketers when selling any good or service, obtain adequate information about the affiliate marketers it hires, approve their advertisements, and immediately stop processing payments generated by any affiliate marketer using deceptive advertisements.

Note that this is the third and fourth in a string of FTC settlements over the past few years dealing with the Guides, the first of which was the Reverb case and the second was the Legacy Learning (guitar lessons) case. In Reverb, the FTC alleged that Reverb (a PR firm) posted reviews for its clients on the iTunes store that appeared as independent reviews reflecting the views of ordinary consumers. In Legacy Learning, the FTC alleged that Legacy Learning used an affiliate program where, among other activities, the affiliates wrote positive reviews about the product next to hyperlinks to the Legacy Learning web site. The affiliates received a commission on the sale of products purchased via those links, but did not disclose that fact. In addition to ongoing compliance obligations, Legacy agreed to pay $250,000 as part of the settlement.

Any company advertising through affiliates should carefully consider the Guides and this string of FTC settlements, and consider how they might impact the organization's affiliate marketing efforts. Although the Guides are not law, they explain what conduct the FTC considers deceptive under Section 5 of the FTC Act in connection with certain types of offline and online advertising. Although advertisers should be fully aware of the Guides, some key excerpts relevant to affiliate advertisers are as follows:

Endorsements must reflect the honest opinions, findings, beliefs, or experience of the endorser, and may not convey any express or implied representation that would be deceptive if made directly by the advertiser. 16 C.F.R. § 255.1(a).

Advertisers are subject to liability for false or unsubstantiated statements made through endorsements, or for failing to disclose material connections between themselves and their endorsers. 16 C.F.R. § 255.1(d).

An advertisement employing endorsements by one or more consumers about the performance of an advertised product or service will be interpreted as representing that the product or service is effective for the purpose depicted in the advertisement. Therefore, the advertiser must possess and rely upon adequate substantiation, including, when appropriate, competent and reliable scientific evidence, to support such claims made through endorsements in the same manner the advertiser would be required to do if it had made the representation directly, i.e., without using endorsements. 16 C.F.R. § 255.2(a).

When there exists a connection between the endorser and the seller of the advertised product that might materially affect the weight or credibility of the endorsement (i.e., the connection is not reasonably expected by the audience), such connection must be fully disclosed. 16 C.F.R. § 255.5.

To address these principles, the FTC indicates that:

An advertiser should provide guidance and training to its bloggers and affiliates concerning the need to ensure that statements they make are truthful and substantiated. The advertiser should also monitor bloggers and affiliates who are being paid to promote its products and take steps necessary to halt the continued publication of deceptive representations when they are discovered.

If the relationship between a blogger or affiliate and an advertiser is not inherently obvious (e.g., where a company sends products, free of charge, to bloggers to review), the blogger should clearly and conspicuously disclose that he received the product for free. With respect to affiliate marketers, the affiliate should disclose that it will receive a commission if the advertisement is paired with the affiliates endorsement of the product. The company should advise its bloggers and affiliates that this connection should be disclosed, and it should have procedures in place to try to monitor postings for compliance.

An employee of a company who posts on an online message board regarding his company’s products should clearly and conspicuously disclose his relationship to the company to members and readers of the message board.

With respect to affiliate marketing relationships, does this mean that an advertiser must monitor the content of all pages upon which its ads appear? Such a burden becomes troublesome for a company that advertises its products through a traditional affiliate marketing program, where potentially thousands of sites may display the advertisement. At a minimum, a company that engages in affiliate marketing should: (i) have its affiliates execute an agreement agreeing to follow a set of guidelines created by the company and the FTC’s guidance regarding truthful and substantiated claims and disclosures of material relationships; and (ii) create a written program that includes affiliate guidelines, monitoring of affiliates and enforcement of the guidelines. While it may not be feasible or affordable to monitor all of the activity arising out of large affiliate marketing networks, a monitoring program that includes reviewing samples and spot-checking affiliates on a regular basis can help address the issues laid out in the FTC’s Guide In fact, the FTC has indicated that it will take into account the monitoring and enforcement efforts of an advertiser when determining whether to pursue a case and when determining culpability. As this type of marketing becomes the norm for companies of all stripes, thinking ahead and creating workable policies could be the difference between a successful marketing program and an intrusive FTC investigation and action.

The Security, Privacy and Legal Implications of BYOD (Bring Your Own Device)

David Navetta — Wed, 28 Mar 2012 13:32:25 -0700

The dizzying array of personal computing device choices can be disorienting. Smartphones, tablets, laptops, netbooks, desktops, and sometimes all of the above, are amongst the device options individuals have these days (and within each category additional brand [iPhone v. Android], software and operating system choices exist). At the same time, organizations have recognized that mobile devices are crucial to their own success, and many have incurred significant expense purchasing and securing such devices, and equipping their workforce. Nonetheless, employees are increasingly using (or demanding to use) personal devices to store and process their employer’s data, and connect to their networks. The reasons for this vary from avoiding the need to carry and manage multiple devices, to the desire to use the most up-to-date devices that exist, to increased efficiency.

This trend has been named (as is the fashion), and is referred to as “COIT” (the Consumerization of Information Technology”) or BYOD (Bring Your Own Device). Some organizations believe that BYOD will allow them to avoid significant hardware, software and IT support costs. Even if cost-savings is not the goal, most companies believe that processing of company data on employee personal devices is inevitable and unavoidable. Unfortunately, BYOD raises significant data security and privacy concerns, which can lead to potential legal and liability risk. Many companies are having to play catch-up to control these risks. This blogpost identifies and explores some of the key privacy and security legal concerns associated with BYOD, including “reasonable” BYOD security, BYOD privacy implications, and security and privacy issues related to BYOD incident response and investigations.

BYOD “Reasonable Security”

The InfoLawGroup has written frequently on the concept of reasonable security, including posts about “legally defensible” security and court interpretations of reasonable security. Organizations implementing a BYOD strategy need to explore the concept of reasonable security for personal computer devices in the care, custody and control of their employees and contractors. Significant security challenges exist in this context, and most of them arise due to the lack of control companies have over their employees’ devices.

Take the example of company-owned laptop issued to an employee. When it comes to security, the company can:

determine and limit the type of devices that can be used;
implement minimum system requirements and configurations;
install security-related software to the device;
encrypt company data on the device;
apply security patches;
monitor the use of the device to detect misuse, hacking or malware;
dictate how the device connects to the company’s network;
install and update anti-virus software;
provide support for the device; and
obtain/access the device for purposes of an investigation (because the company owns the device).

When it comes to their employee-owned personal devices, organizations will partially or fully lose the ability to undertake these actions, and in any event will often be relying on its individual employees to secure their devices. Companies lose the consistency, scalability and efficiency they enjoy when they own their hardware, control their data, and can dictate and scale their IT infrastructure and information security.

Moreover, to the extent a company's employees are unable or unwilling to implement particular security controls, the organization may be increasing its security risk. This can also increase legal and liability risk related to security. Organizations engage in complex decision-making processes when securing their systems and sensitive data and for purposes of maintaining reasonable and legally defensible security. The end result is set of technical, administrative and physical controls (typically reflected in a written security program) that the organization determines is sufficient to reduce its security risk to an appropriate level. From a legal point of view the written security program may also be used to set an organization’s minimum legal standard of care. The failure of an organization to comply with its own security program is a key factor that can (and will) be used by plaintiffs counsel or regulators to argue for liability after a security breach.

This presents a serious problem in the BYOD context. For example, assume an organization’s own mobile device security standard requires encryption of all sensitive data on company-owned computer devices, and the employee’s BYOD mobile device is not achieving this standard. If the employee’s personal device is hacked and the unencrypted sensitive data stolen the company’s Mobile Device Security will likely be used to argue that company did not implement reasonable security.

To reduce legal and liability risk, companies implementing a BYOD strategy need to carefully analyze their existing security policies to determine how they relate to and impact their employees' use of their personal devices for business purposes. Policies that may be relevant, include (without limitation): mobile device security policies, password policies, encryption policies, data classification policies, acceptable use policies, antivirus software policies, wireless access policies, incident response policies, remote working policies, privacy policies, and others. If a company’s security policies already require certain security measures, it must be determined whether it is possible to match those measures for personal devices. If there are inconsistencies, organizations need to be ready to explain, why, despite the failure to follow policies that apply to similar devices, the security of an employee’s personal device was still reasonable.

Note, there may be reasonable differences between company-owned devices and employee personal devices, and both may be secured even if the methodology is not the same. Additional (but different) controls required on personal devices may compensate for missing controls required in company policies. For example, some companies are requiring employees to install software on their personal devices that provides additional security. Perhaps a lesser set of controls is appropriate in cases where storage of sensitive data on personal devices is prohibited (by policy or otherwise). In any event, for any BYOD implementation, it is important to investigate potential inconsistencies and rationalize why those differences do not equate to unreasonable security on personal devices. This process ultimately results in a Personal Device Use Policy that reflects the security trade-offs and requirements that come out of this analysis.

BYOD and Employee Privacy

The very nature of BYOD highlights the employee privacy challenges at issue. Employees and contractors of organizations will be using the same devices they use for work to engage in personal computing that involves a host of private activities and content, including web surfing history, personal emails, photos, chat histories, personally identifiable information, music, movies, software, user names and passwords and financial account numbers. We have already seen signficant legal activity relating to an employee’s expectation of privacy when using a company-issued device for personal reasons.

The U.S. Supreme Court recently considered this issue in the City of Ontario, California v. Quon (for a closer look at Quon please visit this ILG post). Quon involved a search by a city concerning an employee’s (a police officer in this case) alleged use of the city’s device for personal texting (including sexually explicit materials) both on and off duty. The police officer argued that the city’s actions represented an unreasonable search in violation of the Fourth Amendment of the US Constitution, the privacy clause found in Article I, section 1 of the California constitution, and also the federal Stored Communications Act (SCA).

The key issue in front of the Court was the extent to which the police officer had a reasonable expectation of privacy with respect to private messages sent and received on a city-owned device while on or off duty, and if so, whether the city’s search was unreasonable. Unfortunately, the Court did not rule on whether an expectation of privacy existed, and instead assumed that such an expectation was present for the sake of argument (the Court did note, however, that the city’s policies disclaimed any expectation of privacy, and that this was a factor in determining whether any expectation reasonably existed). It then turned to whether the city’s search was reasonable, and held that the city’s search of text message content was reasonable because it was undertaken for a work-related purpose and was not excessively intrusive under the circumstances. In this case, the city’s review was limited to a two-month sample of messages. In addition, to limit the intrusion into Mr. Quon's personal life, the city redacted the officer’s messages sent and received while he was off duty.

How does privacy play out in a BYOD context? Again it comes down to looking at how an organization monitors its employees' behavior when using computer devices owned and issued by the organization. For example, it is not unusual for companies to monitor their employees' activities while working on the company’s network (regardless of the type of device connected to that network). For company-issued devices, additional monitoring of employee usage may occur at the device level (e.g. key-stroke logging or mobile device management software that tracks the geolocation of mobile devices). However, when it comes to personal devices, because it is known that personal and private activities are likely to take place on the device, for privacy reasons, the same types of monitoring may not be appropriate.

As discussed further below, another key privacy-related issue relates to investigations involving personal devices. If an image of a device’s hard drive is needed for an investigation of a security breach or for e-Discovery purposes, the captured data is likely to include private/personal information of the employee. Organizations can try to limit the scope of an investigation or data capture involving a personal device, but if they fail to preserve data that may be evidence in litigation they could face spoliation problems in court or miss key information needed for an investigation or remediation of a breach.

In all, companies need to carefully consider their intended goals when it comes to monitoring their employees’ use of their own devices, and balance those goals against these privacy concerns and potential legal limitations. Organization’s should make their employees aware of the privacy trade-offs and the reasonable expectations of privacy related to their use of a personal device for work. Note, expectations of privacy in this context may be higher because a personal device is at issue, and this should be taken into account by companies considering a BYOD strategy and informing their employees of privacy-related issues. If monitoring or an investigation is necessary, organizations should design their efforts in a manner that seeks to minimize the potential exposure of personal and private information.

BYOD Incident Response and Investigations

BYOD poses significant challenges related to incident response and investigations that impact privacy, security and legal concerns. Since individual employees own and possess their personal devices, when something goes wrong it may be difficult to actually obtain access to or possession of the device. This can be especially true when the employee itself is the subject of an investigation. If data collection and preservation is necessary, the inability to access and possess a physical device can be extremely detrimental. For example, if an organization is not able to preserve data that may constitute evidence in litigation, it could face court sanctions. This issue also poses problems for the individuals themselves who will likely (at least temporarily) be unable to use their personal device while it is being investigated. In addition, as mentioned above, capturing data or images of hard drives related to personal devices implicates potential privacy issues. In developing their BYOD strategies companies need to develop BYOD incident response procedures and inform their employees of those procedures.

Beyond investigations, for security reasons, some organizations may want to enable remote wiping, bricking and blocking of personal devices that are lost or breached. This too may pose challenges. First, it may be necessary to have employees load certain software to their personal devices or configure their devices in a certain manner to allow for remote wiping, bricking and blocking. Employees should be notified of these requirements and consent to them. Second, the wiping, bricking or blocking of a device could damage the device and/or data residing on the device. If a device is remotely wiped to remove sensitive company data from it, that wiping could also wipe out the employee’s personal emails, pictures, videos and software. Again, employees should be notified that damage, loss of use and data loss are all possibilities if they use their personal device for work purposes. Moreover, they should sign a waiver consenting to such activities and holding the organization harmless for any such damage, loss of use or data loss. All of this should be reflected in the organization’s Personal Device Use Policy and accompanying waivers and consent forms.

Conclusion

All too often companies considering a BYOD policy find that their employees are already using their personal devices for work purposes and to store sensitive information. This makes it more difficult to manage these issues in a deliberate manner and set up policies that address the security, privacy and legal risks associated with BYOD. Nonetheless, the complex legal implications of BYOD must be carefully considered using a multi-disciplinary approach (e.g. legal, security, privacy, IT, risk management, etc.) that takes the company's existing infrastructure and risk tolerance into account. The end result should be a Personal Device Use Policy that addresses the various risks and strikes a balance that works for the organization. Also key, because of the personal nature of the devices in this context, is informing, educating and training employees concerning the privacy, security and incident response implications of using their own device for work purposes. Working through these issues can help to reduce the legal and liability risk that companies may face.

New Ponemon Data Breach Study Finds Breach Costs Have Fallen

Richard Santalesa — Wed, 28 Mar 2012 09:03:08 -0700

Since its first issue seven years ago, the Ponemon Institute’s annual Cost of Data Breach Study (“CDBS”) has become a must read for privacy and breach professionals. The latest CDBS study, covering the 2011 year, can be considered a bookend to Verizon’s annual Data Breach Investigations Report, which 2012 edition was likewise recently released The two reports paint a data breach landscape that has and continues to change. The 2012 CDBS summarizes data collected in interviewing over 400 individuals from 49 participating organizations.

In the “good news” department, the CDBS – which focuses exclusively on U.S. data breaches - highlights several comforting findings. The most significant being that “[f]or the first time in seven years, both the organizational cost of data breach and the cost per lost or stolen record have declined. The organizational cost has declined from $7.2 million to $5.5 million and the cost per record has declined from $214 to $194.”

The CDBS surmises that “[t]his decline suggests that organizations represented in this study have improved their performance in both preparing for and responding to a data breach” and I’d agree. [Full Disclosure: Attorneys at the InfoLawGroup have handled numerous actual and suspected data breach investigations and responses.] At this point in time established procedures, processes and deadlines for responding to a data breach are well-understood, even though the statutory and regulatory landscape continues to shift.

The result is that established parties called upon to handle or aid in a data breach are generally experienced and have the processes down to, if not a science, at least a well-honed procedure guided by battle-tested plans. This is not to say that data breaches have become a ho-hum or blasé low-priority incident. Not at all, as anyone who’s been involved with one can testify. Data breaches are stressful, trying, but at least according to the CDBS a slightly less expensive event now than they were in previous years.

However, one caveat should be noted before you unbox the party hats. The CDBS clearly states that it does “not include organizations that had data breaches in excess of 100,000…” Why? Because the Ponemon Institute feels “they are not representative of most data breaches and including them in the study would skew the results.” Many have mixed opinions on this elision. I recommend a quick read through the entire 27-page report to draw your own conclusions.

Nevertheless, despite this lacuna other key findings in the CDBS are that:

More customers remains loyal following a data breach
Negligent insiders and malicious attacks are the main causes of data breach (dovetailing with Verizon’s DBIR, which first and foremost dubbed 2011 the year of “hacktivists” who caused 58% of data theft breaches in 2011)
Lost business cost declined sharply from $4.54 million in 2010 to $3.01 million in 2011
Certain organizational factors can reduce the overall cost of a data breach
Specific attributes or factors of a data breach can increase the overall breach cost
Detection and escalation costs declined in 2011 but notification costs increased

Other Notable Topics Covered in the CDBS

Cost of Data Breach Decline – So what does it mean that the cost per record in a data breach has dropped to $194 from $214? The answer is pretty squarely in what the CDBS dubs “indirect costs,” such as abnormal turnover and churn of existing and future customers, as the report places $135 of the $194/record price tag squarely in the indirect cost bucket. Last year’s average indirect cost per record tallied $141. Whether people have been inured to or fatigued by the steady “oh, look I received another data breach notification in the mail” the fact is that fewer people now respond to a data breach by jumping ship.

Perhaps more significant in the long term, however, is the CDBS’ finding that the average total “organizational” costs of a data beach have plunged 24% from 2010 to 2011 - from $7.2 million to $5.5 million. By any measure this is an eye-open drop. So what’s behind it? The CDBS identifies four key metrics driving this drop: the decrease in per capita breach cost; the average size of a data breach; the decrease in abnormal customer churn and finally a drop in the average total cost of a data breach response.

Again, however, caution is warranted before popping those champagne corks as your mileage may vary, dramatically so, depending on your specific industry given the CDBS notes per capita costs from a breach range widely depending on the specific sectoral industry segment: from a low of $89 in “media” companies to a high of from $247 to $334 for financial, pharma and communications companies. The end result is that while the “average” cost of a data breach has dropped your individual breach related costs may not follow this average – recognizing, as always, the importance of having an experienced response team on hand with proven breach investigation and response skills.

As always human nature is the driver behind the majority of breaches: 76% of data breaches were traced to either, according to the CDBS, negligence or a malicious or criminal attack. As a subgroup malicious attacks remain, as in previous years, the most costly data breach scenario (whether by outsiders or criminal insiders) with an average per capita cost of $222 – significantly above the heralded mean of $194. Correspondingly, however, breaches caused by negligence had a per capita cost that is lower than both the mean and average of $174 per capita.

Of the malicious or criminal attacks leading to breach, fully 50% were traced back to viruses, malware, worms and Trojans. Web-based and social engineering attacks leading to a breach were each 17% of the malicious or criminal attacks experienced by the 18 companies analyzed by the Ponemon Institute. I draw a somewhat different ultimate conclusion from this CDBS based on my perspective. Namely, it’s very helpful to have these percentage breakdowns in determining how to allocate preventative training and security costs, but one should never lose sight of the fact that your particular breach may not follow the aggregate percentages. In short, attempt to expect the unexpected and remain acutely aware of the fact that your breach could come from an outlier source.

Positive and Negative Attribute Influencing Data Breach Costs – Another instructive portion of the report, with proactive lessons for those facing or preparing for a data breach scenario, is the review starting on page 10 of “[s]ix positive and negative attributes can influence the cost of data breach.” Stepping through the seven years’ worth of lessons learned from its past studies the Institute gleans a passel of prominent recommendations and insights that can influence the cost of a data breach. The six attributes are:

The company has a Chief Information Security Officer (CISO or equivalent title) with overall responsibility for enterprise data protection. The CDSB notes “forty-three percent of the companies it’s survey have centralized the management of data protection with the appointment of a C-level security professional.” Putting data security in the C-suite is a smart move any way you slice it.
Third parties are dangerous. How much of a danger? Well, forty-one percent of organizations suffering a data breach determined it was caused by a third party. Scrutinize carefully any outsourcer, cloud provider and business partners that will be handling or have access to your data.
Quick notification is becoming the order of the day. The CDBS states forty-one percent (that percent again) notified victims within 30 days or less. However, a quick draw on notification can be counterproductive, because as the CDBS also notes, those companies that “responded and notified customers too quickly without a thorough assessment of the data breach also paid an average of $33 more per record.” The moral? Be quick, but not too quick with your assessment of the overall data breach.
Lost or stolen devices. A hefty thirty-nine percent of organizations suffered a data breach resulting from a lost or stolen mobile device, including laptops, smartphones, tablets and flashdrives. Mobility is great and we couldn’t effectively work without it, but recognize the hazard and be proactive.
The home team calls in extra help. Thirty-seven percent of organizations in the study hired consultants to assist in their data breach response and remediation. Frankly, I’m surprised that figure isn’t higher, because all too often attempting to handle a data breach internally without experienced help frequently leads to wasted time, inaccurate assessment of the breach, lost productivity and improper notifications. Granted consultants and outside legal experts cost money, but they may in fact “pay for themselves” in improving the overall breach response efficiency.
Data breaches are recurring. Unlike the myth of lightening never striking the same place twice, data breaches do hit the same target again and again. In fact the CDBS reports – which may surprise some – that “[m]ost of the organizations in this year’s study have already experienced a data breach. Only 22 percent say it is the first time.”

Final Thoughts

I highly recommend a full read of the Cost of Data Breach Study to gain a thorough understanding of the findings and methodology, as well as the limits of the findings, taking special note of the express limitations detailed on page 25. The report is easily read, understandable to IT, legal and c-level executives alike and provides a concise snapshot of the 2011 data breach landscape. Not only that, but companies that take heed of how and where data breaches have occurred in their peers are forearmed to take the necessary steps to both minimize a breach from occurring while also responding in a cost effective manner should the worst occur. As always the attorneys at the InfoLawGroup are happy to discuss any aspect of the CDBS report or your own data breach preparations or response needs with you.

California Court Rules that Gathering ZIP Codes for Fraud Prevention does not Violate the Credit Card Act

Nihar Shah — Mon, 26 Mar 2012 11:17:34 -0700

On March 14, 2012 a California district court ruled in Flores v. Chevron that a gas station gathering ZIP Codes for fraud prevention did not violate Civil Code § 1747.08, the Song-Beverly Credit Card Act (“Credit Card Act”). The Credit Card Act prohibits businesses from recording a customer’s personal information in conjunction with a credit card purchase. The Act has an exception from this prohibition for the collection of personal information “required for a special purpose incidental but relating to the individual credit card transaction.”

In Flores, a customer challenged the traditional fraud prevention practice at gas stations of asking for the billing ZIP Code of the credit card being used to purchase gas. The case follows the 2011 California Supreme Court decision in Pineda v. Williams-Sonoma Stores, in which the Court ruled that the collection of ZIP Codes by retailers at the register during a credit card transaction was a violation of the Credit Card Act. Williams-Sonoma stores were collecting ZIP Codes for the purposes of marketing and advertising research at the time customers were paying for purchases with their credit cards, which the Court found to be precisely the type of collection of personal information that is prohibited by the Credit Card Act. In Flores, however, the district court ruled that the gas station’s stated purpose of collection -- fraud prevention -- is a “special purpose” that qualifies the collection of customer ZIP Codes as permitted activity outside the scope of the Credit Card Act’s prohibition on the recording of personal information.

Interestingly, because the court determined that the Credit Card Act did not apply due to the exception, the court refused to consider plausible fraud prevention alternatives that would be less intrusive on personal information, such as collecting a card’s CCV code instead of a ZIP Code. The court acknowledged that the use of ZIP Codes may not have been the least intrusive methods and that the gas station’s choice of ZIP Codes for fraud prevention may have been motivated by a desire to gain leverage with consumers in marketing the gas station’s fraud prevention efforts. The court observed, however, that because the statute did not apply due to the special purposes exception, there is no need for courts and lawyers to help “design” gas stations’ fraud prevention marketing campaigns. According to the district court, if recording ZIP Codes is a permissible method of fraud prevention, then there is no jurisdiction for a court to tell gas stations to use another method of fraud prevention instead.

The court’s use of the “special purpose” exception is further noteworthy because the court chose not to rely on a narrower exemption within the Act that specifically exempts “retail motor fuel dispenser[ies] … [that use] the ZIP Code information solely for prevention of fraud, theft, or identity theft.” The district court’s reliance on the broader exception raises the question whether the gas station (or other retailers with a similar fraud prevention program) may subsequently use for marketing purposes ZIP Codes initially collected for fraud prevention. If the Credit Card Act is interpreted to permit subsequent marketing use of fraud prevention data, one has to wonder whether the Pineda case would have had a different outcome if Williams-Sonoma had been collecting the ZIP Codes initially for a fraud prevention program and subsequently using the information for marketing research. While there is an argument that such an interpretation may be inconsistent with the purpose of the Credit Card Act, we will continue to monitor how the courts interpret the Act.

FTC Issues Final Commission Report on Protecting Consumer Privacy

Richard Santalesa — Mon, 26 Mar 2012 09:46:09 -0700

Earlier today the Federal Trade Commission issued its long-awaited final report entitled "Protecting Consumer Privacy in an Era of Rapid Change: A Proposed Framework for Businesses and Policymakers" (the “Framework”). The Framework focuses on three primary principles: 1) Privacy by Design; 2) Simplified Choice for Businesses and Consumers; and 3) Greater Transparency. The vote approving the report was 3-1. Commissioner J. Thomas Rosch dissented from the issuance of the Final Privacy Report.

The FTC has a front and center role in data privacy and enforcement. We have written extensively about the FTC’s actions and recommendations, including numerous posts analyzing the original preliminary staff report version of the Framework, released in December 2010. We also reviewed each of the 450+ public comments submitted in response to the preliminary staff report.

How is the final Framework different from the draft Framework and what should your privacy professionals be taking away from the Framework?

First, the Framework takes a strong position on setting forth best practices to protect the privacy of American consumers and give them greater control over the collection and use of their personal data. Second, as part of this effort, the FTC recommends Congress consider enacting general privacy legislation, data security and breach notification legislation, as well as data broker legislation, which marks new but not unexpected territory for the Framework.

During the conference call this morning, the FTC stressed that the Framework seeks continuity rather than change. The final Framework moves away from the draft Framework in several significant ways. As the FTC stated:

“The final report changes the guidance's scope. The preliminary report recommended that the proposed framework apply to all commercial entities that collect or use consumer data that can be linked to a specific consumer, computer, or other device. Recognizing the potential burden on small businesses, the report concludes that the framework should not apply to companies that collect and do not transfer only non-sensitive data from fewer than 5,000 consumers a year. The report also responds to comments filed by organizations and individuals that, with technological advances, more and more data could be ‘reasonably linked’ to consumers, computers, or devices. The final report concludes that data is not ‘reasonably linked’ if a company takes reasonable measures to de-identify the data, commits not to re-identify it, and prohibits downstream recipients from re-identifying it.”

The FTC's revised recommendations in the final Framework also recognize recent court cases arising from zip codes and other potentially identifying information that is nonetheless used as part of legitimate product fulfillment and fraud prevention. And finally, the report contains new and important recommendations concerning data brokers: stressing the Commission's prior call and support of legislation to provide consumers with access to information stored by data brokers; and further calling upon data brokers to explore creation of a centralized website where consumers may get information about practices and options for controlling data use by data brokers that compile consumer data for marketing purposes.

Lastly, the accompanying press release to the final Framework noted that, over the next year, the FTC staff will work to encourage privacy protections through five main action items:

Do-Not-Track;
Mobile Privacy;
Data Broker Transparency;
Large Platform Providers, including Internet Service Providers, operating systems, browsers and social media companies, seek to comprehensively track consumers' online activities; and
Promoting Enforceable Self-Regulatory Codes - in conjunction with the Department of Commerce and industry stakeholders

We’ll have extensive further review of the final Framework and its expected impact on information security and privacy practices over the coming week.

FTC Looks to Link Do-Not-Track, Big Data Privacy Concerns; Seeks Solutions

Boris Segalis — Thu, 15 Mar 2012 11:39:51 -0700

By Boris Segalis and Nihar Shah

Nowadays, a news story on privacy is out of place if it doesn’t mention Do-Not-Track (known as “DNT”) or Big Data. While these hot topics represent key concerns for privacy professionals, advocates and regulators, there is no clear agreement on what they mean or how to address the privacy issues they raise. In this post, we consider recent developments on these topics, including how the Federal Trade Commission has sought to focus on and connect these new issues.

DNT or DNC

DNT is in the midst of a multifaceted identity crisis, starting with a disagreement over the definition of DNT. Self-regulatory organizations and the advertising industry assert that DNT stands for “Do Not Target,” referring to the use of consumer data for the purposes of targeted advertising. The FTC, buoyed by privacy advocates, appears to take the view that DNT means not only “Do Not Target” but also “Do Not Collect” (DNC). FTC Commissioner Brill elaborated at the 2012 IAPP Summit that she doesn’t view the current DNT efforts as entirely sufficient because the choice DNT offers does not give consumers appropriate protection against what Brill characterized as “limitless, unmitigated” data collection. But Brill does not argue for wholesale implementation of DNC, and has indicated that the details of the implementation of DNT/DNC will continue to remain a key focus for the FTC.

The industry has continued to respond to these concerns by trying to balance consumer and business interests. While privacy advocates want consumers to have the option to truly opt out of all information collection about them, industry leaders argue that such a move would severely undercut e-commerce in the United States. In late February, the FTC and Digital Advertising Alliance (DAA) announced Obama Administration support for the DAA’s “Do Not Track” button, in which a consumer presses the button on any browser, and all participating advertisers and browsers would not store consumer information to be used in targeted advertising. But privacy advocates have expressed reservations about the solution, calling attention to the fact that the button would not allow consumers to opt out of other types of tracking, such as for market research or website analytics. Commissioner Brill has called the latest DAA proposal “a good first step” but indicated that the FTC does not fully support the DAA’s view that a “Do Not Target” industry standard is completely adequate. She explained that “Do Not Track is not just Do Not Target, but also, when the consumer so chooses, Do Not Collect.” The FTC and DAA both believe that consumer choice is the best method for advocating consumer privacy, but an agreement on what that choice should entail is a long way off.

First Party v. Third Party

Another disagreement affecting DNT is the line between so called “first party” data collection and tracking and “third party” activities. Broadly, “first party” data collectors collect information from users with whom they have a direct relationship (e.g., information CNN collects during a user’s visit to its site). A “third party” data collector collects data about users with whom it does not have a direct relationship (e.g., information collected on the CNN site by advertising networks). For example, a social media platform may act as both a “first party” and “third party” collector. When a user inputs her birthday and name into Google+, the user should reasonably expect Google+ to use that information as part of the service. This is “first party” data processing. However, when Google places a “+1” button on a different website, a user may not understand that Google is collecting other information about that user in conjunction with that “+1” button. This is “third party” processing.

At the IAPP Summit, Commissioner Brill was challenged on the notion that there is great significance to the relationship between the party collecting data and the consumer. Some of her co-panelists suggested, for example, that data protection should be driven by the nature of the information, not the relationship with the consumer. But it appears that the FTC will continue to focus on the “first party” and “third party” distinction. The FTC sees a greater threat to consumers in third-party data collection because of perceived lack of notice, choice and transparency in the practices of data collectors and data aggregators (including deep packet inspection and affiliate marketing) that do not have a direct relationship with consumers. But the real challenge is understanding where to draw the line between “first party” and “third party” practices.

Big Data

In the FTC’s view, concerns about third-party data processing activities have been exacerbated by the changing character of data collection and use. While DNT efforts were initially driven by the desire to offer consumers some protection from behavioral advertising, Brill now also sees DNT as a component of oversight of what has become known as “Big Data.”

Without necessarily referring to the practice as “Big Data,” the media has with some consistency attempted to understand it. For example, a 2010 Wall Street Journal study found that websites had an average of 64 different tracking tools collecting information about site users. With so many data points in hand, many data aggregation companies, a.k.a. data brokers, are able to pinpoint a user’s identity and specific preferences without having any information traditionally considered as personally identifiable information. Notably, Commissioner Brill has lamented that common de-identifying techniques involve no more than removing any references to name and address from collected data. Websites store the unique identifier of the computer or mobile device used to access a website, devices that, Brill notes, are “for all intents and purposes, linked to individuals.”
Most recently, The New York Times reported that companies have engaged in the practice of collecting vast amounts of innocuous data on an individual in order to collect sensitive information about customers. For instance, Target began tracking purchases from consumers to establish that they were pregnant, often within just two purchase cycles. Subsequently, the company would include pregnancy-related advertisements in interactions with that consumer.

And thus Big Data can best be characterized as a state of mind, a realization of the enormous analytical potential to use data that has been and continues to be amassed about individuals to gain new levels of insight into consumer behavior. Whether a prospective restaurateur wants to know whether to open a sushi bar in an upscale neighborhood and how to price the menu, or a store wants to know if a customer might be pregnant, Big Data is there to provide solutions.
The FTC does not appear to view Big Data negatively (and it would be unwise to do so), but it wants the industry to play by the rules, including the rules the White House has articulated in its privacy report. Brill suggested that the government may need to provide heightened consumer protections against certain types of Big Data practices, particularly the aggregation of ostensibly innocuous data to determine sensitive information, such as health status, sexual orientation and financial status.

The FTC believes it has several tools at its disposal to attempt to reign-in Big Data. First, Brill has made it clear that she believes that collection or use of information for purposes articulated in the Fair Credit Reporting Act may well deem the party engaging in the practices a consumer reporting agency under the FCRA, subjecting it to myriad restrictions on data use, disclosure, accuracy and security. Brill has suggested that, for example, FCRA should apply to data scraped from social media if the data is used for FCRA purposes.

In addition, Brill wants Big Data to join in on a one stop shop DNT portal. Brill does not suggest that consumers should have an opportunity to opt out of uses of their data covered by the FCRA (provided there is compliance), but she views as essential consumers’ ability to access and correct the data. She would like all DNT technologies to work together to offer consumers a one stop shop to understand what information has been collected about them and the option to correct their information. Brill also would like to see the portal offer a universal DNC option for the collection and use of consumer data for non-FCRA purposes that are not necessary to process transactions (i.e., marketing).

There has been enforcement activity that can fairly be characterized as an attempt to rein in Big Data. For example, the FTC successfully pressed Social Intelligence, a company that collected and sold social media data for employment eligibility purposes, to admit that it is a consumer reporting agency subject to the FCRA. In addition, the Equal Employment Opportunity Commission has taken steps to seek to preclude companies from using credit report data in the employment process. Further, a number of states have passed laws that, with some exceptions, prohibit the use of credit reports in the employment process. Consumer reporting is the precursor of modern Big Data and offers a preview of the regulatory climate that may impact this new industry.

What’s Next?

Big Data is poised to expand. The advent of the Smart Grid (which includes smart meters, smart appliances, electric/hybrid car charging stations and other elements of the utility infrastructure) will enable the collection of ever more precise and powerful information about consumer behavior. Again, the Smart Grid has the potential to boost the U.S. economy, but as the consumer information flows into Big Data, regulators will want the industry to play by the rules.

While Big Data is in flux, there are things data companies can do: understand how the company processes data, contractual and legal limitations on the data processing, best practices (including those gleaned from FTC guidance and White House and FTC reports) and enforcement risks, and implement privacy controls that are consistent with the organization’s business needs and risk comfort levels. We know that the departure point for FTC’s enforcement is privacy violations that the Commission perceives to be egregious. This should give some comfort to Big Data companies that strive to process personal data in a fair and transparent manner that they would not be the first door on which the FTC knocks.

Finally, while the DNT debate is raging, companies have at their disposal many existing options to be proactive in ensuring that their online privacy practices are fair and transparent in the eyes of regulators and consumer advocacy groups (e.g., BBB and NAI advertising opt-out programs, website analytics opt-outs and other tools). However the debate on DNT ultimately settles, companies can use these tools today to demonstrate their commitment to respecting consumers’ privacy choices.

NTIA Requests Comments on New Privacy Framework

Shannon Harell — Wed, 07 Mar 2012 16:19:56 -0700

As we previously posted, on February 23, 2012, the White House released a white paper setting forth A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy (the “Framework”). The Framework called for a “multi-stakeholder process” to move forward in implementing the goals it set forth, including the creation of a legally enforceable code of conduct. On Monday, the Department of Commerce National Telecommunications and Information Administration (“NTIA”) issued a Federal Register notice, the “Multistakeholder Process to Develop Data Privacy Codes of Conduct”, calling for public comment. In this notice, NTIA called for stakeholders to comment on “on substantive consumer data privacy issues that warrant the development of legally enforceable codes of conduct, as well as procedures to foster the development of these codes.”

The NTIA seeks comments to begin to develop the code of conduct through “consensus-building” among a broad spectrum of stakeholders. The NTIA envisions the code of conduct to be one in which companies will voluntarily participate, but that will be legally enforceable and subject to the jurisdiction of the Federal Trade Commission (among those companies that agree to participate).

The NTIA has requested comments on the follow general subject matters:

(1) What consumer privacy issues should be addressed in the codes of conduct (NTIA is particularly interested in privacy issues with respect to mobile applications, including those that involve location based services or cloud computing and those that are targeted at children under 13 and teenagers under 18)?

(2) How should NTIA properly implement the multistakeholder process (e.g. what entities should be involved, how should NTIA encourage participation amongst a varied group of stakeholders, what should be required to participate)?

(3) How can NTIA be transparent in the multistakeholder process (e.g. what exactly should be produced publicly, what is the best way to facilitate public review and comment)?

(4) How have other stakeholder groups defined and reached (or failed to reach) consensus?

Comments are due on or before 5 p.m. Eastern Daylight Savings Time on March 26, 2012 and may be submitted via email or by mail to: 1401 Constitution Avenue NW., Room 4725, Washington, DC 20230.

PCI liability, HIPAA enforcement rule, breach notification laws

Kristin Tucker — Tue, 06 Mar 2012 12:56:30 -0700

At the RSA Confrence 2012, David Navetta discussed compliance topics, including why PCI liability matters to the card brands, the effect of the HIPAA enforcement rule and international breach notification laws. Watch the discussion here.

NIST Releases Public Draft SP800-53 Addressing Cybersecurity Threats & Privacy Controls

Richard Santalesa — Wed, 29 Feb 2012 15:11:47 -0700

Yesterday the National Institute of Standards and Technology (NIST) released the 4th iteration of what will ultimately be a mainstay document for federal agencies required to comply with provisions of the Federal Information Security Management Act (FISMA) and FIPS 200. As a result it should have a significant affect on federal cloud security practices that will ultimately also effect commercial non-governmental cloud usage.

Weighing in at 375 pages, NIST’s Special Publication 800-53, Rev. 4, entitled Security and Privacy Controls for Federal Information Systems and Organizations, is the first “public draft” of SP800-53. Previous iterations of parts of SP800-53 were released essentially piecemeal (i.e. Appendix J, Privacy Control Catalog, was earlier distributed separately, etc.). Given the breadth and scope of SP800-53 follow-up posts will examine specific notable sections of this important NIST SP. In addition, the public comment period for SP 800-53 runs until April 6, 2012. Comments may be sent via email to sec-cert@nist.gov.

This latest public draft includes major changes that include…

...according to NIST:

New security controls and control enhancements;
Clarification of security control requirements and specification language;
New tailoring guidance including the introduction of overlays;
Additional supplemental guidance for security controls and enhancements;
New privacy controls and implementation guidance;
Updated security control baselines;
New summary tables for security controls to facilitate ease-of-use; and
Revised minimum assurance requirements and designated assurance controls.

NIST notes that "[m]any of the changes were driven by particular cyber security issues and challenges requiring greater attention including, for example, insider threat, mobile and cloud computing, application security, firmware integrity, supply chain risk, and the advanced persistent threat (APT)."

Interestingly, despite the cloud-heavy focus of many recent NIST SP's and reports, the release stresses that "in most instances, with the exception of the new privacy appendix, the new controls and enhancements are not labeled specifically as 'cloud' or 'mobile computing' controls or placed in one section of the catalog." In following posts I'll explore the ramifications of this orientation and examine why NIST's approach makes sense in light of the current infosec and threat landscape. We'll also dig through the expected additional markup versions of Appendices D, F and G following the comment period and Appendices E and J, containing security and privacy controls. Stay tuned.

To discuss the latest SP800-53 public draft or expected implications of the recommended controls on your entity's security and data infrastructure please feel free to contact me or any of the InfoLawGroup team of attorneys.

European Criticism for Google's New Privacy Policy

W. Scott Blackmer — Tue, 28 Feb 2012 15:42:27 -0700

Google's new cross-service privacy policy is supposed to come into effect on March 1. The US Federal Trade Commission has already expressed concerns, and now European data protection authorities have weighed in with the assertion that a "preliminary analysis" indicates that the policy does not satisfy national laws based on the EU Data Protection Directive.

With implementation of the EU ePrivacy Directive amendments this year and a draft EU Regulation slated to replace the Data Protection Directive, the global environment for online privacy will only become more demanding. The trend is toward more informative and granular privacy policies, with more conspicuous privacy options for Internet and mobile users. Service providers should take this trend into account in planning and updating their online privacy practices, if they want to reach a global audience without running head on into global compliance problems.

Google recently announced a new privacy policy that would replace some 70 separate policies covering its diverse services, from Gmail, YouTube, and Blogger to its Chrome browser, Google Docs, and Google Maps. Unless users exercise certain opt-out choices, Google will collect data about their use of the various Google services to create comprehensive profiles and follow the users' activities across multiple online and mobile services. This will allow Google to personalize services and search results -- and serve up more personalized (and higher-value) advertising. The new policy is more detailed than most of the existing Google privacy policies and has the advantage of informing users about Google's practices and options in a single place.

Privacy advocates in the United States and the United Kingdom have called for government investigations of the planned cross-matching of online behavioral data, and the chairman of the US Federal Trade Commission expressed concern over what he termed the "binary," "somewhat brutal choice" offered by Google to accept or decline all such profiling.

Yesterday, the president of CNIL, the French data protection authority, issued an open letter to Google's CEO announcing a further investigation and the initial conclusion that the new privacy practices would not conform to European data privacy laws:

. . . our preliminary analysis shows that Google's new policy does not meet the requirements of the European Directive on Data Protection (95/46/CE), especially regarding the information provided to data subjects.

This represents more than a French reaction to Google's announced plans. CNIL has been designated to take the lead in investigating Google's new approach on behalf of the Article 29 Working Party, the permanent advisory body that is comprised of representatives of all the national data protection authorities and the European Commission. A preliminary conclusion of noncompliance by the very bodies that enforce the data protection laws seriously raises the risks of proceeding with the new plan to create cross-service user profiles subject to the proposed privacy policy.

The EU data protection authorities are concerned that the new privacy policy does not adequately disclose what would be done with the data and who would have access to it, as required by Articles 10 and 11 of the Directive. More fundamentally, the Directive requires "fair processing" of personal information that is proportionate in light of the lawful, announced purposes of processing (see Articles 6 and 7). The European authorities question whether Google has demonstrated sufficient justification to create such comprehensive and potentially intrusive profiles of online behavior. Enhanced advertising capabilities may not be persuasive on their own. Google will probably have to demonstrate how the new approach could improve the user experience and offer benefits that users should be allowed to choose in exchange for allowing Google to track their online behavior. Meanwhile, CNIL, on behalf of the European privacy authorities, asks Google to delay introducing the new privacy practices and policy.

These issues are not limited to Google, of course, and the environment for online profiling is only becoming stricter. As I reported last week, the draft EU Data Protection Regulation, which would replace the framework Directive with a more uniform European legal instrument to protect data privacy, would assert jurisdiction over online service providers that targeted European consumers or monitored their behavior, even if they did so entirely from servers located outside the EU. And the new, so-called "Cookies Rules" implementing amendments to the EU ePrivacy Directive generally require conspicuous notices and opt-in consent at each point where an online retailer or service provider collects information from or about an individual. In many cases, these rules will not be satisfied by a single posted privacy policy but may require pop-ups with notices and links at many points in the online experience, which will be challenging to effect (and possibly annoying to users). There are many unanswered questions about how these requirements can be satisfied -- including concerns about third-party data collection by services such as Google Analytics that many commercial website operators rely on to fine-tune their online offerings.

Once again, the technologically possible (and commercially attractive) seems to have outpaced social and legal consensus. Google's treatment of user data is on a scale matched by few, but online enterprises of all sizes will be watching to see how Google fares in the face of official and public reservations.

One conclusion is easy: the watchword for anyone offering products or services online should be "transparency." This concept appears repeatedly in the CNIL letter and also in the White House Consumer Privacy Bill of Rights released last week. Enterprises need to say, perhaps in greater detail than before, what they are doing with user data, and they also need to explain why it is good for consumers. As we move toward more of an opt-in approach to personal data collection and especially behavioral profiling, users will need to be persuaded of its value.

Privacy in Principle (As California Goes, So Goes the Nation? Part Four)

Tanya Forsheit — Mon, 27 Feb 2012 07:18:00 -0700

What happened in the privacy world last week? Well, on Friday, the White House officially released its long-anticipated white paper setting forth a framework for "Protecting Privacy And Promoting Innovation in The Global Digital Economy," including a Consumer Privacy Bill of Rights. Justine blogged about this on Friday here. But something else happened on Thursday, just before the release of the White House Paper. Here in California, Attorney General Kamala Harris announced an agreement with Amazon, Apple, Google, Hewlett-Packard, Microsoft and Research In Motion, the leading operators of mobile application platforms - let's call it the App Agreement for purposes of this post, and the six companies the App Platform Participants.

What did those mobile application platform operators agree to do? According to the Attorney General's website, they committed to "improve privacy protections for millions of consumers around the globe who access the Internet through applications ("apps") on their smartphones, tablets and other mobile devices. . . . These platforms have agreed to privacy principles designed to bring the industry in line with a California law requiring mobile apps that collect personal information to have a privacy policy. " Why haven't you heard about that? Well, there was this little announcement from the White House a few hours after Ms. Harris made her own announcement. It is well worth an exploration of the App Agreement to understand what it says, what it does not say, and what it means in historical context, especially in light of the new White House "Consumer Privacy Bill of Rights." It might be argued that the White House is now enunciating principles and best practices, and encouraging legislation of principles, that have long been embodied not only as best practice but as actual legislation under California law.

What does the App Agreement say?

The App Agreement says that, where required by law, an app that collects personal data from a user must conspicuously post a privacy policy or other statement describing the app's privacy practices that provides clear and complete information regarding how personal data is collected, used and shared. More interestingly, the App Platform Participants have agreed in the App Agreement that they will include in the application submission process for new or updated apps either an optional data field for a hyperlink to, or for the text of, the app's privacy policy or a statement describing the app's privacy practices. For developers who choose to submit such a hyperlink or text, the App Platform Participants will enable access for users to the hyperlink or text from the app store. The App Platform Participants will also implement (a) a means for users to report apps that don't comply with applicable terms of service or laws; and (b) a process for responding to those reported instances of non-compliance. Finally, the App Platform Participants will continue to work with the AG to develop best practices for mobile privacy and mobile privacy policies.

Does the law require that apps post a privacy policy?

Yes, and this is also the position of Attorney General Harris. Indeed, California law has required the posting of privacy policies for nearly eight years, since July 1, 2004. The California Online Privacy Protection Act, Business & Professions Code section 22575 et seq. (I like to call it "CalOPPA"), requires any "operator of a commercial Web site or online service that collects personally identifiable information through the Internet about individual consumers residing in California who use or visit its commercial Web site or online service [to] . . . conspicuously post its privacy policy on its Web site, or in the case of an operator of an online service, make that policy available in accordance with" the law. Since day one, July 1, 2004, privacy lawyers have noted that CalOPPA effectively operates like a federal law since it applies to all Web sites and online services that collect personally identifiable information about consumers residing in California. In other words, unless an organization knows that its website will not collect information from California residents, that organization must comply by posting a privacy policy in accordance with CalOPPA.

Is the App Agreement law?

No. The App Agreement is a "Joint Statement of Principles," it is not legally binding. It explicitly states that it is "not intended to impose legally binding obligations on the Participants or affect existing obligations under law."

Does California law require that certain things be included in an app's privacy policy?

Yes, CalOPPA requires that the privacy policy identify the categories of personally identifiable information that the operator collects through the Web site or online service about individual consumers who use or visit its commercial Web site or online service and the categories of third-party persons or entities with whom the operator may share that personally identifiable information. It also requires that, if the operator maintains a process for an individual consumer who uses or visits its commercial Web site or online service to review and request changes to any of his or her personally identifiable information that is collected through the Web site or online service, the privacy policy must provide a description of that process. The privacy policy must also describe the process by which the operator notifies consumers who use or visit its commercial Web site or online service of material changes to the operator's privacy policy for that Web site or online service. Finally, the privacy policy must identify its effective date.

How does California law define personally identifiable information? Just name with Social Security number, financial account number, or driver's license number, right?

No, CalOPPA has always broadly defined PII for purposes of online privacy policies to include individually identifiable information about an individual consumer collected online by the operator from that individual and maintained by the operator in an accessible form. Such information includes any of the following: (1) A first and last name. (2) A home or other physical address, including street name and name of a city or town. (3) An e-mail address. (4) A telephone number. (5) A social security number. (6) Any other identifier that permits the physical or online contacting of a specific individual. (7) Information concerning a user that the Web site or online service collects online from the user and maintains in personally identifiable form in combination with an identifier described in this subdivision.

What does the App Agreement have in common with the White House Consumer Privacy Bill of Rights?

Two of the principles set forth in the White House's new Consumer Privacy Bill of Rights have long been incorporated in CalOPPA and are reiterated and reaffirmed by the App Agreement: Transparency and Access and Accuracy. California has long required that organizations conspicuously post their privacy policies so that consumers can more easily obtain information about their privacy rights. California has also long required that companies explain to consumers how they can review and request changes to their PII.

Both documents and the principles set forth therein also find their origins in the decades-old Fair Information Practice Principles (FIPPs).

Ms. Harris's requirement that the App Platform Participants engage in ongoing discussions with the AG's office and reconvene in six months also resonates with the Obama Administration's contemplated multi-stakeholder approach to produce enforceable codes of conduct that implement the Consumer Privacy Bill of Rights.

While we're talking about this, anything else to consider about California law?

It is worth noting that a number of longstanding California privacy laws are getting fresh airplay these days. In addition to CalOPPA, discussed here, California's Shine the Light law, California Civil Code section 1798.83, is back on the scene. On the books since January 1, 2005, Shine the Light is now being invoked by plaintiff's lawyers in class actions - the first of their kind - filed in 2012. Shine the Light takes the privacy policy transparency principle a step further. It allows California residents to request information from businesses about their third-party information-sharing practices. Another thing that CalOPPA and Shine the Light have in common - they both specifically make reference to organization's option of using a hyperlink with the word "privacy" in it to make consumers aware of an organization's privacy policy. The App Agreement once again highlights the importance of conspicuous hyperlinks.

Consumer Privacy "Rights" - Not Just for Californians Anymore

Once again, California is driving the conversation on privacy. Principles that may have once seemed outside the mainstream or just another crazy California thing, long memorialized in actual binding law out here, are now going mainstream in this country. They are also moving US conceptions of privacy closer to the European model of core user privacy rights, albeit with a uniquely US multi-stakeholder non-binding flavor. Will we see federal legislation that embodies these principles? Unknown and perhaps unlikely in the short-term. However, given existing California law on this issue, Attorney General Harris's renewed focus on privacy (especially in the ubiquitous mobile space), and the likelihood of increased enforcement and class action litigation for organizations doing business in California, the time may be right for all organizations to reexamine their privacy practices with an eye towards these principles.

White House Released Privacy Framework Includes the Consumer Privacy Bill of Rights

Justine Gottshall — Thu, 23 Feb 2012 10:01:02 -0700

The White House today released its white paper setting forth a framework for "Protecting Privacy And Promoting Innovation in The Global Digital Economy" (the " Framework"). The Framework is far reaching, touching on everything from a call for legislation, including a national standard for security breach legislation, to promoting international interoperability.

The Framework centers on The Consumer Privacy Bill of Rights, which contains seven core principles relating to “personal data.” Note that “personal data” is defined broadly, to encompass any data, including aggregated data, which can be linked to a specific individual, and may include data linked to a specific computer or other device. It is worth noting that the Framework includes, as an illustrative example of personal data, "an identifier on a smartphone or family computer that is used to build a usage profile."

The seven principles set forth in The Consumer Privacy Bill of Rights are as follows.

1. Consumer Control: granting consumers the right to exercise control over the personal data companies collect and how companies use that personal data.

Of note: The Framework calls for companies to provide “appropriate control” and for the choice to reflect the “scale, scope, and sensitivity” of the personal data collected and the uses made of the personal data.

2. Transparency: calling for consumers to have the right to easily understandable and accessible information about a company’s privacy and security practices.

3. Respect for Context: providing that companies should only collect, use, and disclose personal data in ways that are consistent with the context in which the consumers provided the personal data, unless the law requires otherwise or additional transparency and choice are provided.

Of note: The Framework includes both the company’s relationship with the consumer and the consumer’s age and familiarity with technology as relevant factors in determining the context in which consumers provide personal data and the uses that should therefore be made of that personal data. The Framework calls out children and teenagers as potentially needing greater protections for personal data.

4. Security: giving consumers the right to secure and responsible handling of personal data and requiring companies to provide “reasonable safeguards” to control risks.

5. Access and Accuracy: providing that consumers have the right to access and correct personal data, in usable formats, but further providing that the right is subject to what is appropriate given the sensitivity of the data and the risk of adverse consequences – also referred to as “material harm” --to consumers if the data is inaccurate.

Of note: The Framework also calls on companies to use “reasonable measures” to ensure the personal data they maintain is accurate and references providing consumers with the right to delete or suppress information – all subject to “the scale, scope, and sensitivity of the personal data that they collect or maintain and the likelihood that its use may expose consumers to financial, physical, or other material harm.”

6. Focused Collection: relating to the Context Principle (#3) and calling for consumers to have the right to set reasonable limits on the personal data that companies collect and retain, and calling on companies to securely dispose or de-identify the personal data collected once it is no longer needed, unless the company is under a legal obligation to keep it in its identified form.

7. Accountability: setting forth that companies must handle personal data with appropriate measures in place to assure they adhere to the Consumer Privacy Bill of Rights and that companies should be accountable to both enforcement authorities and consumers for following the principles in the Framework.

Of note: The Framework specifically states that companies should train employees and hold them responsible for adhering to these principles and that they should include enforceable contract clauses with third parties (unless the law requires otherwise) when disclosing personal data to those third parties. The Framework also provides that it will “where appropriate” companies should conduct full audits.

These principles provide the basis for a proposed multitude of initiatives, including legislation codifying The Consumer Privacy Bill of Rights, strengthening FTC enforcement, and the creation of “multi-stakeholder processes” and codes of conduct” which include an international cooperation component. There is sure to be a great deal of discussion and feedback from all of the industry stakeholders and it is unclear will take action to codify The Consumer Privacy Bill of Rights or any principle contained within the Framework. The Framework increases the visibility and adds to the privacy discussion, but the discussion will certainly continue.

Transborder Data Flows at Risk

W. Scott Blackmer — Mon, 20 Feb 2012 22:25:38 -0700

Physical borders may be technically irrelevant in the age of online business, global corporate groups, and cloud computing, but they retain legal and cultural significance. Some recent developments in data privacy law around the world suggest that the “free flow of information” is becoming more conditional, and that enterprises will have to be nimble to meet the expectations of regulators, consumers, and employees when the organization wants to move personally identifiable data from one country to another.

The proliferation of comprehensive data privacy laws, more or less on the European model, increasingly requires US-based multinationals and online companies to adapt to strict requirements for dealing with individuals in other countries. While the rules may soon become more uniform in the EU, they are still new and uncertain in many other countries.

European Union

In January 2012, the European Commission published a proposed Regulation that would replace the 1995 EU Data Protection Directive. While national practices differ considerably under the 1995 framework directive, the Regulation would establish a much more consistent European approach to data protection rights and enforcement.

The Regulation would continue to authorize data transfers to “white-listed” jurisdictions with EU-style comprehensive data protection laws (such as Switzerland, Argentina, Israel, and, for most purposes, Canada). It would also continue to recognize data transfers to US “Safe Harbor” companies and transfers protected by EU-approved standard contract clauses (“model contracts”) or binding corporate rules (“BCRs”), as well as transfers relying on informed consent. These have been subject to divergent national interpretations and procedures, however, and the Regulation aims to eliminate these differences.

For example, a European subsidiary sending employee or customer data to a central corporate system in New York, or to an outsourcing vendor in Mumbai, may use EU model contracts. But in some countries, such as the Netherlands, the contracts must first be notified to the local data protection authority or await approval from the authority. The Regulation would eliminate notification and approval procedures for those transfers. It would simplify, as well, the procedures for obtaining approval for BCRs, and it would allow a “group” of processors – as in the cloud computing context – to implement the same approved BCRs. In addition, the Regulation would generally allow data transfers outside the EU without the formality of model contracts or BCRs in instances where the transfers were not “frequent or massive,” appropriate safeguards were in place, and the national data protection authority was notified. These changes would be welcome, as they would greatly simplify planning and compliance for enterprises with European operations.

Less welcome are the provisions on extra-territorial jurisdiction in the draft Regulation. A US company, for example, would be subject to the Regulation if it offered goods or services to European residents, online or otherwise, or if it monitored their behavior (for example, by tracking their visits to other websites). This assertion of extra-territorial jurisdiction could prove difficult to enforce, but it would require American companies to re-think their approach to e-commerce and online marketing. It may not suffice in future to say that European rules do not apply simply because the company’s servers are not located there.

Russia

Russia adopted legislation based on the EU Data Protection Directive and Council of Europe Convention 108, generally prohibiting data transfers to countries lacking similar legislation absent the individual’s informed consent. However, it has been slow to organize the regulatory authority and clarify standards and procedures.

In July 2011, the Federal Law on Personal Data was amended to expressly allow data transfers to countries that have implemented the Council of Europe Convention, but this does not cover transfers to the United States or India, for example. There is no recognition of model contracts or Safe Harbor as there is in the EU and Switzerland, leaving documented consent as the safest approach to foreign data transfers.

China and Hong Kong

In 2011, the Ministry of Industry and Information Technology (MIIT) issued a proposed national standard, “Information Security Technology – Guidelines for Personal Information Protection.” The draft standard would require security provisions in outsourcing agreements. More problematically, it would prohibit the transfer of personal data abroad without explicit legal authorization or regulatory approval. It is not clear whether the standard would be mandatory for at least some industries, and whether any regulatory authority would issue guidelines or establish an approval procedure.

Meanwhile, Jiansu Province (where many foreign manufacturing joint ventures operate) has gone ahead on its own with a “Regulation of Information Technology” that came into force in January 2012. This ordinance generally requires consent or official approval for data transfers outside the province. The municipal government of Shenzen, near Hong Kong, has announced that it is preparing a similar ordinance.

Hong Kong has long had a Personal Data (Privacy) Ordinance, but its restrictions on transborder data transfers have never come into force. The Legislative Council is currently considering substantial amendments to the Ordinance, including provisions for white-listing and safeguards reminiscent of the EU approach to regulating data transfers abroad.

Mexico

The 2010 Law on the Protection of Personal Data Held by Private Parties and the implementing Data Privacy Regulations (some provisions of which have not yet entered into force) address cross-border transfers of personal data. These require informed consent unless certain other conditions apply, one of which is data transfers to a parent or affiliate abroad operating under the same “internal processes and policies” as the compliant Mexican subsidiary (Law, Art, 37(III)). Effectively, this means that data could be transferred across borders within a corporate group, so long as the affected Mexican residents are given required rights of access, rectification, cancellation, and objection (“ARCO” rights), as mandated in the Mexican law, and the company meets security and other requirements for safeguarding the data. Transfers to a processor outside Mexico also would not require consent if they are subject to appropriate contractual and technical safeguards.

Republic of Korea

South Korea’s new Personal Information Protection Act, which came into effect in September 2011, generally requires consent to disclose personal data to a third party (Art. 17(1)). Transfers of data outside the country require notice and consent from the individual unless the transfers are legally required or made in connection with a criminal investigation (Art. 17(3)).

This strict consent requirement can be made to work in the consumer context, but it may be more difficult to implement in the employment context. Can a multinational group make it a condition of employment that recruits and current employees allow their data to be stored and used in a regional or international headquarters? As with other new national data privacy laws, global companies may have to await regulations or interpretive guidance from the authorities, in this case the Korean Ministry of Public Administration and Safety.

Malaysia

The Personal Data Protection Act adopted in 2010 is expected to come into force this year. Similar to the EU Data Protection Directive, the Act generally forbids the transfer of personal data outside the country, with some exceptions, unless the Ministry of Information, Communication, and Culture has approved the destination country based on an “adequate level of protection.” Ultimately, the Ministry may issue regulations clarifying alternatives for transfers to countries with dissimilar legal regimes, such as the United States. Otherwise, once the law is in effect, a global enterprise would need to rely on one of the EU-style exceptions, principally consent or the performance of a contract with the individual.

Conclusions

Data users should review the geography of their customers and employees and determine if their privacy policies and practices need to be updated to comply with new or anticipated requirements in many countries, in Asia and Latin America as well as in Europe. These typically mandate notice and safeguards for transborder data transfers, as documented in contracts, internal policies, and in some cases regulatory approvals.

In some countries, the only reliable legal basis for foreign data transfers in the near future is informed consent, which should be documented in a manner susceptible to proof. This will pose challenges for multinationals and for online retailers and service providers, and it would be prudent to watch for developing best practices among peer companies as well as further guidance from the (often new) regulatory authorities.

FTC: "The Kids App Ecosystem Needs To Wake Up..."

Jamie Rubin — Thu, 16 Feb 2012 13:30:49 -0700

Today, the FTC released a report titled Mobile Apps for Kids: Current Privacy Disclosures Are Dis appointing. The FTC surveyed apps for children available in the Android Market and the Apple App store. The FTC found that apps can capture a bunch of information from a device and person, but there is a lack of information about data collection and usage available to parents prior to downloading the app. The FTC noted that its methodology for the survey did not include downloading or using any app. Instead, the FTC only looked to what information was available to the consumer via the app store or the developer’s web site prior to downloading the app.

"In most instances, staff was unable to determine from the information on the app store page or the developer's landing page whether an app collected any data, let alone the type of data collected, the purpose for such collection, and who . . . obtained access to such data."

The report calls upon all members of the “kids app ecosystem” to play an active role in providing information to parents. App developers should describe their data practices to consumers using simple and short disclosures or icons. App stores should ensure that app developers have a way to make such disclosures (the FTC suggests that there should be some standardization created by the app store itself to allow for the disclosures). And third parties that collect user information through apps should disclose their privacy practices via a link on the app promotion page or within the app developer’s disclosures.

The FTC says that an app’s privacy disclosures should concentrate on:

What information the app collects and why;
How the information will be used;
With whom the information will be shared;
If the app integrates with a social network; and
If the app allows targeted advertising to occur through the app.

The report also seems to indicate that if an app includes ads, there should be a disclosure indicating so (even if the ads are not targeted based on the user’s information).

The FTC acknowledged that the Android Marketplace requires a user to acknowledge certain potentially sensitive capabilities of an app via a permissions screen. However, the FTC found the permissions screen inadequate because it does not explain why an app has or needs the access, what the app does with that access or whether the app shares any information with third parties.

The FTC was careful to state that the survey and report did not focus on compliance with the Children’s Online Privacy Protection Act (COPPA). However, the report does conclude that most of the apps surveyed did appear to be “directed to children” within the meaning of COPPA. In fact, the report goes on to say that the staff will conduct an additional review over the next 6 months to determine if some mobile apps are violating COPPA and to evaluate if the app ecosystem is addressing the report released today. In addition, the FTC is going to host a workshop this year in connection with the updates to its “Dot Com Disclosure” guide and one of the topics will be mobile privacy disclosures.