Privacy and Security Law Blog

FBI Reportedly Seeking Expansion of CALEA to New Communications and Technology Platforms

Ronald London — Tue, 08 May 2012 14:24:38 -0800

On the heels of the House’s recent approval of the Cyber Intelligence Sharing and Protection Act (CISPA), CNET News reports that the FBI has drafted amendments to the Communications Assistance for Law Enforcement Act (CALEA) that would significantly expand the scope of the statute. The FBI and other law enforcement officials have long been concerned about the increasing volume of communications occurring on technology platforms that are beyond the reach of CALEA, and outside of law enforcement’s existing surveillance capabilities. The FBI reportedly terms this phenomenon the “Going Dark” problem. Solving it as the FBI proposes, however, could require significant operational changes by service providers that utilize such technologies.

Originally enacted in 1994, CALEA requires telecommunications carriers to construct and engineer their networks to accommodate lawful surveillance of communications over such networks. In 2005, at the urging of the Department of Justice and the FBI, the FCC expanded its interpretation of “telecommunications carriers” subject to CALEA to include facilities-based broadband and interconnected Voice over Internet Protocol (VoIP) service providers.

Now, CNET News is reporting that the FBI’s draft amendments would extend the scope and reach of CALEA and require technology companies that build and operate communications platforms – including social networks, messaging and non-interconnected VoIP – to alter their code in order to build in “back doors” that permit lawful surveillance (for example, pursuant to court order). Thus, the FBI’s amendments would reportedly extend CALEA obligations to social networks, non-interconnected providers of VoIP (like Skype, FaceTime, and Google Voice), instant messaging services, and Web-hosted email services. The FBI’s proposal would also reportedly include a gating threshold, such that the new obligations would only apply to technology platforms if the number of subscribers, or users, exceeds a defined threshold.

Privacy advocates and technology providers are likely to oppose any such extension of CALEA. Concerns over legislation targeting copyright and intellectual property theft – the Stop Online Piracy Act (SOPA) and Protect IP Act (PIPA) – led Congress to shelve those bills after a widespread campaign by various segments of the Internet community. Wikipedia, Craigslist, Mozilla, and many other Internet sites staged blackouts of their service in January of this year, and Google’s home page took visitors to a petition against SOPA and PIPA.

Although it is unclear if the White House endorses such an extension of CALEA, if the proposal provokes a reaction similar to that seen during the SOPA and PIPA debates, the proposal may not go anywhere. Indeed, the President has stated his intent to veto another proposal to expand surveillance and information collection efforts on networks, i.e., CISPA, if passed in its current form. Instead, the White House backs the approach of the pending Cybersecurity Act of 2012 (S-2105) which includes provisions for various private sector entities to share cyber threat information to protect the Internet and network communications. The massive Cybersecurity Act in its current form would require the Department of Homeland Security to work with various government agencies and industry sectors to designate “critical infrastructure” for protection from cyberattacks. It would also likely require an overhaul of security standards and practices for communications networks as well as for the energy, financial services, and chemical production industries. The Cybersecurity Act will be debated in the coming weeks.

These federal efforts to change cybersecurity law obviously could force material changes in numerous business models, and require careful attention in the coming weeks and months.

House Passes Cyber Intelligence Sharing Bill With Substantial Industry Support, But Veto Threat Looms

Ronald London — Thu, 03 May 2012 09:40:19 -0800

By Jay Ireland

On April 26, 2012 the House passed the Cyber Intelligence Sharing and Protection Act (“CISPA”) on a 248 – 168 vote. CISPA is supported by many communications and technology companies (e.g., Verizon, AT&T, Facebook, and Microsoft) as a critical step in protecting the nation’s infrastructure and national security from cyber attacks, by permitting the sharing of cyber threat information between private companies and the federal government. Critics (e.g., the ACLU, Center for Democracy and Technology, and others) strenuously oppose CISPA based on concerns it compromises individual privacy by allowing personal information to be shared with the government without adequate protections, oversight, or legal recourse. The White House opposes the legislation and has threatened to veto it in its current form.

CISPA, which would sunset 5 years after enactment, seeks to combat cyber attacks by allowing (but not requiring) private entities to use cybersecurity systems to identify, obtain “cyber threat information,” and share that information with other entities, including the federal government, “notwithstanding any other provision of law.” Such cyber threat information shared with a federal department or agency can only be used for (i) “cybersecurity purposes” (i.e., “the purpose of ensuring the integrity, confidentiality, or availability of, or safeguarding, a system or network”); (ii) investigating and prosecuting cyber-crimes; (iii) protecting individuals from serious bodily harm or death and related investigations; (iv) protecting minors from exploitation and serious threats of harm; or (v) protecting national security. While CISPA facilitates sharing of information to protect national security interests, it does not impose government cybersecurity standards on the private sector.

To address privacy concerns, CISPA provides that cyber threat information shared by the private sector with the federal government cannot be affirmatively searched other than for the purposes itemized above. The bill also forbids the government from using personally identifiable information from library circulation records, library patron lists, book sales records, book customer lists, firearms sales records, educational records and medical records. Information shared with the federal government is exempt from Freedom-of-Information disclosure and generally cannot be disclosed to non-federal entities (unless the sharing entity authorizes such disclosure), or used by the federal government for other regulatory purposes.

CISPA would also authorize (but does not require) the sharing of cyber threat intelligence obtained by “elements of the intelligence community” with private-sector entities and utilities holding appropriate security clearances. Those private-sector entities and utilities are encouraged to share such information with other cleared entities subject to certain restrictions. The federal government cannot condition its sharing of cyber threat intelligence with a private entity on that entity also sharing information with the government. Procedures will be developed, in consultation with the Secretary of Homeland Security, to ensure that operators of critical infrastructure receive “all appropriate cyber threat intelligence” possessed by the federal government.

Private-sector entities (including their officers, employees or agents) that use cybersecurity systems in good faith to identify, or obtain, cyber threat information or that share such information as permitted by CISPA are exempt from civil and criminal liability. CISPA provides a private remedy for the federal government’s intentional or willful violation of the permitted uses of information – the greater of actual damages, or $1,000 and attorney fees.

Focus now turns to the Senate which is expected to consider two competing bills this month (S. 2151, the Strengthening and Enhancing Cybersecurity by Using Research, Education, Information, and Technology Act of 2012 or “SECURE IT” Act sponsored by Senator McCain, and S. 2105, the “Cybersecurity Act of 2012” sponsored by Senator Lieberman). An anti-SOPA style campaign is already underway by privacy advocates to ensure that any Senate bill that emerges contains privacy protections that were not successfully included in CISPA. It is likely that substantial revision is necessary to avoid the threatened veto. In addition, while players in the online industry have been silent or quietly supportive of CISPA, Mozilla came out against it in the wake of its passing the House. Progress of the bill and related legislation in the Senate will be critical to watch in the coming weeks and months.

Plans to Publicize Foreign-Sponsored Hackers and Counter-Measures

Ronald London — Mon, 23 Apr 2012 06:36:57 -0800

By Randy Gainer

A recent story in the Washington Post that describes former FBI assistant director Shawn Henry’s plan to “name names” of governments that sponsor hackers to break into U.S. networks. He also suggests that the private firm he recently joined, CrowdStrike, may take countermeasures against hackers. Such “hack-back” strategies have been debated in the security community for several years. That Mr. Henry is talking openly about going on the offensive against hackers may mean that hacker battles are about to get more interesting.

FCC: Google's Collection of Unencrypted Data Does Not Violate Communications Act

Davis Wright Tremaine — Tue, 17 Apr 2012 12:45:32 -0800

By David M. Silverman

In a Notice of Apparent Liability (NAL) released Monday by the Federal Communications Commission (FCC) against Google, the FCC found that Google’s collection of unencrypted data obtained from Wi-Fi networks in its Street View project did not violate the Communications Act provision that prohibits the unauthorized interception and either use or publication of radio communications. However, the FCC has proposed a $25,000 forfeiture penalty for Google’s initial failure to cooperate with the agency’s investigation of this matter.

Google’s Street View project uses cameras on cars to capture 360 degree images of structures and land bordering roads and highways throughout the world, viewable by users of Google Maps and Google Earth. Between 2007 and 2010, the cars also employed equipment that captured Wi-Fi data which, when combined with global positioning system (GPS) information, can be used to map businesses or other landmarks near a user’s location. In 2010, in response to investigations conducted by various European authorities, Google admitted that its capture of Wi-Fi data included contents of email and text messages, passwords, Internet usage history and other personal information. At first, Google insisted the collected content or “payload data” consisted of fragmented data only, but in October 2010, Google admitted that the payload data included entire emails, passwords and other information.

Following that admission, the FCC sent Google a Letter of Inquiry (LOI) in November 2010 requesting information about the Wi-Fi data collections, to determine whether they violated Section 705(a) of the Communications Act, which prohibits unauthorized interception and use or publication of radio communications. Although the FCC’s investigation was hampered somewhat by a key employee’s refusal to provide information to the FCC pursuant to his Fifth Amendment right against self-incrimination, it appears that the payload data collected by Google was limited to information sent over unencrypted or open networks only, although the captured information may have included encrypted data sent over those networks (e.g., a user may have accessed encrypted bank account information while utilizing an unencrypted Wi-Fi network.)

Given that Google’s collected payload data consisted of data sent over unencrypted Wi-Fi networks only, the FCC found Google’s activities did not violate Section 705(a) of the Communications Act. In this regard, the FCC noted that Section 705 is specifically limited by the federal Wiretap Act, which exempts as lawful the unauthorized interception of any “electronic communication [that] is readily accessible to the general public,” defined in the Wiretap Act as one that is not “scrambled or encrypted.” In the FCC’s words, “[a]lthough Google recognized that the collection of payload data as part of its Street View project should not have happened, that does not necessarily mean that the collection was unlawful.”

As for the encrypted data sent over those unencrypted networks, the FCC “found no evidence that Google accessed or did anything with such encrypted communications,” admitting that its inability to interview Google’s key employee (referred to pseudonymously as “Engineer Doe”) made it “impossible” for the FCC to determine whether any use was made of those encrypted communications.

Nonetheless, the FCC proposed a $25,000 forfeiture for Google’s failure to cooperate with the FCC’s investigation of this matter, noting that Google delayed for months before providing responsive emails, individual names and compliant declarations in response to the FCC’s LOI. While the FCC justified increasing the $4000 base forfeiture set forth in the FCC’s rules on both Google’s “deliberate” refusal to comply with the LOI and on its ability to pay (citing Google’s $38 billion annual gross revenues), members of Congress have criticized the FCC’s forfeiture as a mere “slap on the hand.”

Google now has an opportunity to respond to the NAL in an attempt to persuade the FCC to either reduce or cancel the proposed forfeiture. Unless additional facts come to light regarding Google’s access and/or use of encrypted communications, however, the FCC is unlikely to revisit Google’s substantive liability under the Communications Act.

En Banc 9th Circuit Decision Narrowly Construes Federal Computer Fraud and Abuse Act's Prohibition on Conduct that "Exceeds Authorized Access"

Ronald London — Thu, 12 Apr 2012 12:47:33 -0800

By Ronald G. London

In a 9-2 reversal of an earlier appellate decision by a 3-judge panel, the U.S. Court of Appeals for the 9th Circuit issued an en banc ruling in U.S. v. Nosal, holding that the prohibition in the federal Computer Fraud and Abuse Act (“CFAA”) on exceeding authorized access to a computer covers only the scope of access allowed, not the subsequent use of any information obtained. In doing so, the court rejected a broader reading the government advocated, which the en banc majority held “would transform the CFAA from an anti-hacking statute into an expansive misappropriation statute.” The court’s decision, authored by Judge Kozinski, explains that this narrow construction is preferable because it prevents CFAA liability for, for example, employees using their work computers in violation of their employers’ acceptable use polices, and/or web-surfers using a website in ways that may violate its terms of use/service, which the court noted few ever read, and even fewer understand in enough detail to avoid unwitting liability.

The CFAA is primarily a criminal statute intended to deter computer hackers, though it permits civil actions by private parties damaged as a result of a violations (assuming they incur sufficient injury). It generally prohibits intentionally or knowingly accessing a computer without authorization or exceeding authorized access in a variety of contexts, including those involving government computers, attempts to defraud to obtain something of value, and/or causing damage or loss to the computer or its data.

The case against Nosal involved his former employment at an executive search firm where, after he left, he convinced some former colleagues still at the company to help him start a competing business, including by accessing and providing Nosal information from a confidential database at the firm. While these cohorts were authorized to access their employer’s database generally, it had a policy barring disclosure of confidential information, leading to CFAA charges against Nosal for aiding and abetting the former colleagues in “exceeding authorized access” to the search firm’s computer.

The question thus became whether the CFAA’s “exceeds authorized access” language refers (as Nosal argued) to someone who has been authorized to access only certain data or files but accesses other, unauthorized data or files – what is colloquially known as “hacking” – or (as the government argued) someone who has unrestricted physical access to data or files, but is limited in the use to which he can put them. After the trial court ultimately answered this question in Nosal’s favor, while the 3-judge appellate panel ruled for the government, on rehearing en banc, the 9th Circuit adopted the narrower interpretation, and affirmed dismissal of the CFAA charges.

The en banc decision started with the statutory definition of “exceeds authorized access,” which the CFAA defines as “to access a computer with authorization and use such access to obtain or alter information [to which] the accesser is not entitled.” Noting that it is more sensible to read “entitled” as a synonym for “authorized,” the court determined that “exceeds authorized access” must refer to data or files on a computer that one is not authorized to access, rather than any later use to which they are put. This is consistent, the court held, with the fact that Congress enacted the CFAA primarily to address computer hacking, while the broad interpretation favored by the government would vastly expand its scope to criminalize any unauthorized use of information obtained from a computer. As the court went on to explain:

This would make criminals of large groups of people who would have little reason to suspect they are committing a federal crime. While ignorance of the law is no excuse, we can properly be skeptical as to whether Congress, in 1984, meant to criminalize conduct beyond that which is inherently wrongful, such as breaking into a computer.

Rather, the en banc decision stated, “If Congress wants to incorporate misappropriation liability into the CFAA, it must speak more clearly.” The court bolstered its determination by noting it also is supported by the rule that courts will “construe a statute as displacing a substantial portion of the common law only where Congress has clearly indicated its intent to do so.”

Thus, because Nosal's accomplices had permission to access the company database and obtain the information within, the CFAA charges failed to meet the “without authorization, or exceeds authorized access” element and were properly dismissed. However, the en banc decision held, significantly, that its construction of “exceeds authorized access” would apply to all uses of that term in the statute, noting that the phrase appears five times in the first seven subsections. In doing so, it rejected the government’s suggestion that the interpretation would apply only to the provision Nosal was charged with violating, which involved knowingly accessing a computer in excess of authorization with intent to defraud and thereby furthering the fraud and obtaining something of value.

The court also noted that its decision departed from broader interpretations of “exceeds authorized access” adopted by the Fifth, Seventh, and Eleventh Circuits, which the en banc Ninth Circuit urged to reconsider their approach. This split among the Circuits makes it more likely that the Supreme Court would agree to review the Nosal decision, making it an important case to watch as the time for the government to seek such review begins to wind down.

DWT Attorneys Offer Privacy Insights at RAMP Advanced Commercial & Mobile Retail Summit

Ronald London — Fri, 06 Apr 2012 10:59:16 -0800

By Ronald G. London

On April 4, 2012, DWT privacy practitioners Randy Gainer and Ronnie London joined two of the firm’s leading payments attorneys, James Mann and Andrew Lorentz, at the RAMP Advanced Commercial & Mobile Retail Summit, to make a presentation on Anticipating, Understanding and Preparing for New Rules for a New Mobile World. The session provided an overview of the mobile payments legal ecosystem, and offered insights on the requirements for financial privacy, compliance with data security and PCI rules, and regulations affecting mobile communications. You can access the slides for the presentation here.

New DWT Advisory Offers Insights into FTC's Long-Awaited Final Privacy Report

Davis Wright Tremaine — Thu, 29 Mar 2012 07:06:31 -0800

On our Advisories page we recently posted a detailed analysis by Robert G. Scott, Jr. and Paul Glist of the Federal Trade Commission’s March 26, 2012, final report on “Protecting Consumer Privacy in an Era of Rapid Change” (Final Report). The Final Report effectively adopts the preliminary FTC staff report from December 2010 (Staff Report), with important changes that recast the Staff Report’s general framework for privacy protection as privacy by design, simplified consumer choice, and transparency.

The FTC’s privacy framework covers the use of personal and profiling information across all industries, both online and offline. Much of the change from the Staff Report to the Final Report reflects the FTC aligning with the Administration's approach to privacy. For example, the Commission discarded the Staff Report’s list of permissible “commonly accepted” business uses in favor of contextual justification. It accepts that relationships between companies and their customers vary widely, so privacy protections require flexibility that is best worked out in stakeholder discussions and self-regulatory codes (with the FTC enforcing any promises made). And while the Final Report recognizes the growing success of voluntary Do Not Track tools, the FTC urges industry to increase their effectiveness, or legislation will be needed.

The Final Report additionally restates and renames Fair Information Practice Principles consistent with the White House/Commerce department February 2012 White Paper. The FTC also, among other things, adopts sweeping principles for consumer access to data held by any company, and in the Final Report recommends a new opportunity for consumers to access a list of all categories of data held by any broker. The full advisory on the FTC’s Final Privacy Report can be accessed here.

New Advisory Highlights Potential Traps for the Unwary in Updated FCC Prerecorded Telemarketing Rules

Ronald London — Thu, 15 Mar 2012 10:04:59 -0800

By Ronald G. London

Be sure to spend some time with our new advisory in which we expand on our previous entry outlining the basics of the revised FCC automated/prerecorded telemarketing rules. The advisory explains how, even though the FCC’s primary purpose was to mirror FTC prerecorded telemarketing rules adopted several years back (which were the subject of our advisory issued at that time, here), some additional new requirements resulted from the FCC’s update of its rules.

These include raising the bar for the type of consent needed for auto-dialed live-agent telemarketing to cell phones as part of the new prior, written signed consent requirement for prerecorded telemarketing generally, and extending the automated opt-out mechanism required for prerecorded telemarketing to “abandoned” live-agent telemarketing calls. While the FCC mostly tracked existing FTC regulations, these additional requirements are new and may require operational changes for a variety of companies.

In addition, to the extent the FTC’s jurisdiction does not cover certain business sectors, such as common carriers, banks and other financial institutions, and the business of insurance, to the extent participants in those industries had not started adhering to the FTC prerecorded telemarketing rules, adoption of similar rules by the FCC will mean a variety of new compliance burdens for those companies. Access the advisory here.

Oregon Supreme Court Decision Shows How Rapid Response to Data Breach Can Pay Off in Ensuing Litigation

Ronald London — Thu, 01 Mar 2012 13:27:32 -0800

By Ronald G. London

Check out our new advisory, in which Doug Ross and Greg Chaimov explain how taking prompt and effective action to protect patients after a data breach paid big dividends in the Oregon Supreme Court, which affirmed dismissal of a class action against Providence Health & Services-Oregon. The case is significant in that it shows a prompt and substantial response to such data theft can play a vital role in prevailing in ensuing litigation, especially given that, when the data theft occurred, Oregon had no law governing how a custodian of records like Providence should respond. That Providence responded quickly to contact its patients and arrange for credit protection was a key factor in the outcome. Read more here.

FCC Updates Automated/Prerecorded Telemarketing Rules to Mirror FTC Requirements for Prior Written, Signed Consent, Automated Opt-Outs, and Related Regulations

Ronald London — Fri, 17 Feb 2012 11:36:13 -0800

FCC Also Remedies Confusion in Its Rulemaking Proposal by Ensuring New Rules Do Not Affect Non-Telemarketing Prerecorded Calls and Text Messages, Such as for Debt Collection, Airline and School Notifications, Fraud Alerts, Surveys Calls, and Wireless Usage Data

By Ronald G. London

The Federal Communications Commission released a Report and Order that revises its rules governing automated/prerecorded telemarketing to modify the consent and opt-out requirements for such calls. The rule change eliminates the “established business relationship” exception that previously allowed autodialed/prerecorded telemarketing to residential lines. Meanwhile, the FCC was careful to ensure the new rules cover only automated/prerecorded “telemarketing” calls and text messages, i.e., those that seek to sell or advertise goods or services, while leaving intact preexisting regulations for non-sales prerecorded calls, such as customer-care, surveys, calls by or on behalf of tax-exempt, non-profit entities, etc.

In short, the FCC’s R&O operates to:

• Revise its rules to require prior express written, signed consent for all autodialed/prerecorded telemarketing calls to wireless numbers and residential lines. The consent must specify the phone number to which it applies, be signed (though anything satisfying the E-SIGN Act qualifies), and reflect willingness to receive prerecorded calls in a clear and conspicuous way. The FCC also specified that the consent cannot be required, directly or indirectly, as a condition for purchasing any good/service.

• Adopt rules applicable to all automated/prerecorded telemarketing calls that allow consumers to opt out of future automated/prerecorded calls during the call. This requires "promptly" offering an automated interactive keypress or voice-activated opt-out mechanism that permits the called party to make a company-specific do-not-call request.

• Revise the rules to limit permissible abandoned calls – i.e., live-agent auto- or predictive-dialed telemarketing calls that when answered by the consumer do not connect to a live agent within 2 seconds – by requiring calculating the 3% of such calls that are permissible on a per-campaign basis (rather than across all a telemarketer’s campaign, as previously).

The new regulations mean the FCC prerecorded telemarketing call rules essentially mirror those the FTC adopted in 2008, which we described in detail here, and have been in effect going on several years now.

That said, some entities/industries fall outside the FTC’s jurisdiction (i.e., common carriers, banks/credit unions/S&Ls, the business of insurance), and to the extent they have telemarketed without using third-party call centers may not have been complying with the FTC prerecorded telemarketing rules – now, they must commence doing so under the FCC rules. The FCC’s R&O also confirms that telemarketing text-messages fall within and must comply with the written, signed consent regime.

For any entity or conduct newly covered by the FCC rules, and to the extent they differ at all from the FTC version, the FCC adopted a phase-in, so compliance with the FCC prior written, signed consent obligation is required 12 months after OMB approval of the new rules appears in the Federal Register, compliance with the FCC automated opt-out rule must occur by 90 days after publication of OMB approval, and compliance with the FCC’s revised abandoned call calculation rule is required 30 days after Federal Register publication.

Massachusetts Data Protection Law: Third-Party Provision Effective March 1

Davis Wright Tremaine — Fri, 17 Feb 2012 06:20:19 -0800

By Bruce E. H. Johnson

Effective March 1, 2012, any company, wherever located, that is holding the “personal information” of Massachusetts residents must amend its existing vendor contracts to require compliance with Massachusetts data security regulations. 201 CMR 17.03 (f)(2).

This requirement for contracts with third-party vendors applies to the personal information of all Massachusetts residents, including customers, employees and others. The data security rules require businesses to encrypt sensitive personal information on Massachusetts residents that is stored on portable devices such as PDAs and laptops or on storage media such as memory sticks and DVDs. Any personal information that is transmitted over a public or wireless network must also be encrypted.

If you own or license personal information about Massachusetts residents, you should ensure you comply with the Massachusetts law. Please feel free to consult with a member of DWT’s PrivSec practice group regarding this issue.

To read more about the Massachusetts law, please visit our Nov. 17, 2008 advisory here.

Business Associates Beware: First HIPAA Enforcement Action Against a Business Associate

Ronald London — Mon, 06 Feb 2012 11:53:07 -0800

By Adam H. Greene and Rebecca L. Williams

Over at our Learning Center, be sure to check out the new advisory on the first formal enforcement action against a business associate, Accretive Health, Inc., for alleged violations under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”), which was brought by Minnesota’s Attorney General under the Health Information Technology for Economic and Clinical Health (“HITECH”) Act. The enforcement action comes after the theft of an unencrypted laptop computer containing approximately 23,500 patients' records, and offers stark reminders both that the HITECH Act’s provisions for business associates currently are in effect, and that state attorneys general and the federal Department of Justice are not bound by the U.S. Department of Health and Human Services’ still-effective forbearance from enforcing the HITECH Act in cases like that of Accretive Health. You can read more here.

Europe Plans Significant Expansion in Data Protection Rights

Davis Wright Tremaine — Fri, 27 Jan 2012 10:49:31 -0800

European Commission Releases Formal Proposal on Data Protection Reform

By Robert Stankey and Adam Shoemaker

On Jan. 25, 2012, the European Commission released the final version of its proposed revisions to the European Union’s data protection framework. The package of changes represents a comprehensive reform of the EU’s 1995 data protection rules.

Significant changes include:

A “right to be forgotten,” which would give individuals a right to demand that user data be permanently deleted from websites;
A requirement that websites obtain explicit consent from users to permit the storage and use of their personal data (and allow for revocation of consent);
A requirement to provide notifications about data breaches to data protection authorities and individuals within 24 hours of discovery; and
A right for individuals to request that their personal data (such as posts, contacts, and pictures on a social network) be moved from one online service to another.

Fines for violation of the new regulation can be as high as two percent of a company’s worldwide gross income.

The proposals on breach notification are intended to catch Europe up with requirements in the U.S. Mandatory breach notification requirements are not common in Europe and fines for security breaches have been modest at best. Regulatory penalties are the primary enforcement mechanisms in the EU as there is no class action litigation.

To address criticism of the lack of consistency in the implementation of data privacy rules across Europe, the Commission has proposed that the data protection rules take the form of a new Regulation, rather than a revised Directive as was done in 1995. This means that there will be a single set of rules that will apply across Europe, replacing separate data protection laws in each of the more than 30 countries that have adopted the European framework. A European Regulation has direct effect in EU countries. Consequently, companies that relied on countries with more business-friendly data protection regulators and judicial interpretations of the law will find less room to maneuver under the new framework as continental European interpretations take greater hold.

While several of the changes have already attracted the attention of the media due to their potentially wide-ranging impact on the Internet, the proposal also includes significant changes to:

Make more non-EU websites subject to the rules (by merely offering goods and services to Europeans);
Clarify which national privacy rules are applicable within the EU (based on the location of an organization’s “main establishment”);
Eliminate some bureaucratic compliance obligations (e.g. registration and other filings with national data protection authorities); and
Require more organizations to have data protection officers.

The intense lobbying that began last year on the revision of the framework will continue this year, but the Commission’s formal proposal is significant as it frames the boundaries of the likely results of the policy debate.

The Commission’s data protection proposal will now be passed on to the European Parliament and EU member states for discussion and negotiation, and will not take effect until two years after full adoption.

The final draft can be read here.

Detailed information about the proposal and supporting materials is available here.

Supreme Court Resolves Circuit Split By Allowing Suits Against Telemarketing Violations Into Federal Court Under "Federal Question" Jurisdiction

Ronald London — Thu, 19 Jan 2012 11:38:40 -0800

By Ronald G. London

The U.S. Supreme Court has issued a decision in Mims v. Arrow Financial Services, LLC, resolving a split among federal appeals courts, by holding that claims under the Telephone Protection Act (TCPA), which provides consumers private rights of action for telemarketing violations, can be brought under “federal question” jurisdiction in federal courts rather than only in state courts.

The TCPA is the statute administered by the Federal Communications Commission (FCC) that regulates telemarketing and other commercial calling practices. It prohibits automated and/or prerecorded calls to cell phones in the absence of prior express consent by the called party, and significantly restricts such calls to residential lines. It is also a basis for various do-not-call rules, including the administration of and requirement to honor National Do Not Call Registry listings, as well as the obligation for companies that telemarket to maintain an internal do-not-call list. (The TCPA also regulates “junk fax” advertisements.)

The TCPA gives the FCC rulemaking authority to regulate in these areas, as well as the ability to impose fines for violations. At the same time, it provides a private right of action for violations of its do-not-call provisions, autodialed/prerecorded-call restrictions, and/or of other technical prohibitions and obligations. The statue provides that such claims may be brought in the courts of the various states and the complainant can seek actual damages or $500 in statutory damages, which may be trebled for any willful violation(s).

But courts have split on whether such claims may be brought in the federal courts. Generally speaking, the courts have agreed that TCPA claims may proceed in federal court under their “diversity” jurisdiction, i.e., the parties are from different states and the complaint seeks $75,000 or more in damages, as well as, after its adoption, under the federal Class Action Fairness Act where plaintiffs seek to proceed as a class (and certain other procedural requirements are met). However, if neither of these apply, the only other basis for federal court jurisdiction relevant to the TCPA would be “federal question” jurisdiction where at least one of the issues to be litigated involves rights, obligations or restrictions arising under federal law.

Initially, though there was some divergence very early on, most federal courts came to agree that the TCPA’s express provision for claims in state court precluded federal question jurisdiction. This became the rule in the federal courts in the Second, Third, Fourth, Fifth, Ninth, and Eleventh Circuits. More recently, however, the U.S. Court of Appeals for the Seventh Circuit held that the TCPA does provide federal question jurisdiction. And, the Sixth Circuit had joined the Seventh Circuit in also holding federal question jurisdiction exists.

The Arrow Financial case before the Supreme Court came through the Eleventh Circuit, where both that Circuit Court and the district court below it held that Mimms could not proceed under federal question jurisdiction in the federal courts. In reversing the Eleventh Circuit, the Supreme Court held that Congress' specification in the TCPA that private parties may seek redress for violations of the Act (or FCC rules thereunder) “in an appropriate court of [a] State,” “if [such an action is] otherwise permitted by the laws or rules of court of [that] State,” is a “permissive grant of jurisdiction to state courts” that does not erect “any barrier to the U.S. district courts' exercise of the general federal-question jurisdiction they have possessed since 1875.”

Construing the general federal law that creates federal-question jurisdiction, which states that “district courts shall have original jurisdiction of all civil actions arising under the Constitution, laws, or treaties of the United States,” the Court held that insofar the TCPA creates the right of action and provides the rules of decision, Mimms’ claim plainly “aris[es] under” the “laws ... of the United States.” It also observed that there is a “deeply rooted presumption” in favor of concurrent federal and state court jurisdiction. That presumption is rebuttable only if “Congress affirmatively ousts the state courts of jurisdiction over a particular federal claim,” which occurs only under an explicit statutory directive, an unmistakable implication from legislative history, or by a clear incompatibility between state-court jurisdiction and federal interests, none of which are present with respect to the TCPA, the Court held.

The case is important as it opens the doors of the federal courts for federal-question TCPA claims in the six Circuits where they previously were barred. Now, even if the parties do not come from different states and have at least $75,000 at issue (the basis for diversity jurisdiction) or did not seek to proceed as a class, litigants may proceed in federal court.

FTC Consent Decree Targets Allegedly Deceptive Toolbar

Davis Wright Tremaine — Tue, 10 Jan 2012 15:06:37 -0800

By David Silverman

The FTC has reached a settlement with UPromise, Inc., a membership reward service aimed at helping save for college, to resolve charges that company allegedly used a web-browser toolbar to collect consumers’ personal information, without adequately disclosing the extent of personal information collected. Under the settlement, UPromise must destroy all data it collected under the “Personalized Offers” feature of its “TubroSaver” toolbar, clearly disclose its data collection practices and obtain consent to collection of personal information from those using the toolbar before it is installed or re-enabled, and must further establish a comprehensive information security programing, requiring biennial independent security assessments, for the next 20 years.

UPromise is a website that allows users to save money for college by getting rebates offered by partner merchants. As part of that website, UPromise offers a downloadable “TurboSaver Toolbar” that highlights UPromise partner merchants in search results, and allows users to get “personalized offers” based on websites visited. UPromise stated that it “automatically encrypts . . . sensitive information” and “infrequently” collected personal data “inadvertently,” and that any personally identifying data would be deleted prior to transmission.

The FTC found that UPromise was not being truthful and filed a complaint alleging unfair or deceptive trade practices under Section 5(a) of the FTC Act. Specifically, the FTC found that the Toolbar was collecting the names of all websites visited by its users as well as information entered into web pages by those users, including user names, passwords, credit card numbers, social security numbers and other financial and/or sensitive data. Furthermore, this data was transmitted in unencrypted, clear text that could be intercepted or viewed by third parties in a wifi environment.

The FTC complaint has resulted in a proposed consent decree requiring UPromise to take the following steps, among others:

UPromise must disclose the types of information collected and how it will be used prior to consumer download or installation of the Toolbar or any software that records or transmits information about activity occurring on that computer;
UPromise must advise consumers who had previously downloaded the Toolbar of the types of information that may have been collected and how to disable or uninstall the Toolbar;
UPromise must destroy all the data it previously collected via the Toolbar;
UPromise cannot make any misrepresentations about security, privacy, confidentiality or the integrity of any information collected from consumers;
UPromise must maintain a comprehensive security program designed to protect the security, confidentiality and integrity of any information collected; and
UPromise must commission an independent audit of its security program every six months for the next 20 years.

The FTC is soliciting public comment on this proposed consent decree through Feb. 6, 2012, following which the FTC will decide whether to make the consent decree “final.”

FTC Enforcement Action Reinforces That Consumers Need Not Utter Any "Magic Words" in Requesting to Be Placed on Telemarketers' Internal Do-Not-Call Lists

Ronald London — Mon, 19 Dec 2011 07:50:33 -0800

Also Reinforces That Telemarketing Sales Rule’s Caller ID Flexibility Only Goes So Far

The Federal Trade Commission (FTC) has announced a $500,000 settlement of a telemarketing enforcement action that it brought based on allegations that the telemarketer interfered with the right of consumers to be placed on companies’ internal do-not-call lists, and that it altered outgoing caller ID to inaccurately display the identity of the calling party. The enforcement action is a reminder that telemarketing customer service reps must be trained to be particularly sensitive to understanding – and effectuating – consumer requests to be added to a company’s do-not-call list, even they don’t request it in such specific terms.

The settlement resolves a complaint the FTC filed in the federal court for the Northern District of Illinois alleging that Americall, a telemarketer specializing in calls on behalf of banks, credit card issuers, insurance companies, and other financial institutions, violated the FTC’s Telemarketing Sales Rule (TSR). The FTC alleged Americall “trains [its] representatives to interfere with entity-specific do-not-call requests” by instructing in training manuals that, absent other, more specific requests, consumer statements like “Don’t call me again,” “Don’t call me back,” or “I do not accept solicitation calls,” should not result in a consumer’s placement on the internal do-not-call list of the entity on whose behalf the agent has called.

In the FTC’s view, apparently, these and “similar statements” are sufficient to require that the consumer’s phone number be logged on the company’s internal do-not-call list. In other words, a consumer need not speak the magic words “put me on your do-not-call list,” or any similar invocation, but rather need only assert some general sentiment that the calling party not call again.
But while one could certainly see a statement like “do not call me again” being treated as the equivalent of “put me on your do-not-call list,” is it really fair to say that “don’t call me back,” or the even less specific “I do not accept solicitation calls” all mean “put me on the list” as well? “Don’t call me back,” for example, is rather non-specific – does it mean don’t call again ever, don’t call again with regard to your current campaign or offer, or even simply don’t call me again anytime soon?

“I do not accept solicitation calls” is an even more generic statement, particularly viewed in the context of whether a consumer is invoking his or her entity-specific do-not-call rights, as it does not even refer to the specific company calling. Treating such non-company-specific language as a do-not-call request is even more curious given that any consumer who “does not accept solicitation calls” can effectuate that desire by being placed on the national (or a state) do-not-call registry.

Such musings, however, may well be irrelevant, insofar as the FTC – the agency charged with enforcing its entity-specific do-not-all rules – appears to consider all the above sentiments sufficient to constitute a do-not-call request. The bottom line, it seems, is that anytime a consumer expresses that s/he does want further calls, that statement must be treated as a do-not-call request. Accordingly, telemarketing agents should be trained to err more on the sides of caution and over-inclusiveness in what is treated as a do-not-call request.

The FTC’s complaint also charged that the telemarketer, armed with knowledge of the names of the companies on whose behalf it placed calls, and thus the ability to properly identify them in outgoing caller ID, altered the calling party name to disguise the identity of Americall and/or its client(s). The complaint gave the example that, in some instances, when calling on behalf of a fire insurance company, the caller ID displayed the promotional phrase “Gas Rebate Center” to entice consumers to answer the phone. While the TSR allows for the identity of either the telemarketer or the company on whose behalf the call is made, the name must fairly identify the caller – before the consumer picks up the phone.

The Americall settlement is a half-million-dollar reminder of the need to properly honor entity-specific do-not-call requests, as well as the need for accurate call ID. The settlement also imposes five years’ worth of record-keeping obligations. In its press release announcing the settlement, the Director of the FTC’s Bureau of Consumer Protection, David Vladeck, expressed that “When it comes to the Do Not Call provisions, compliance is not rocket science.” Nonetheless this case reinforces the need to for companies to stay ever vigilant regarding their telemarketing practices.

Supreme Court Considers Damages for Privacy Violation's Emotional Harm

Davis Wright Tremaine — Fri, 02 Dec 2011 12:49:23 -0800

By Adam H. Greene

On Nov. 30, 2011, the U.S. Supreme Court held oral arguments in Federal Aviation Administration v. Cooper, No. 10-1024. At issue in the case is whether the plaintiff is entitled to damages under the Privacy Act of 1974 for emotional distress caused by the government’s disclosure of his HIV status, including “sleeplessness, loss of appetite, physical tension, agitation, isolation from friends and anxiety.”

While the case most directly impacts the Privacy Act of 1974 (which generally only applies to federal agencies), a Supreme Court precedent establishing damages for emotional harm due to loss of privacy could have a far larger impact. For example, more and more breaches of information are leading to class action lawsuits that may succeed or fail based on whether the plaintiffs are entitled to compensation for the alleged anxiety and other emotional harm resulting from the breach. A finding in favor of the plaintiff in Cooper could significantly bolster the arguments of plaintiffs in these class action suits. Stay tuned for the resolution of this case.

More information can be found here in a New York Times story.

Facebook Settles FTC Allegations of Privacy Violations

Brian Hurh — Wed, 30 Nov 2011 07:49:36 -0800

By Bob Scott

The Federal Trade Commission (FTC) and Facebook announced a settlement of allegations that Facebook did not comply with its own written and advertised policies as to how it protected and used personal information at Facebook users’ pages. Facebook did not admit any wrongdoing, but agreed to a set of detailed privacy practices that incorporate privacy by design, as well as elements of pending federal legislation.

The FTC’s investigation stemmed from Facebook’s November 2009 modification of its privacy policy, which allowed certain user profile information to be seen by the public. Facebook also allowed some third party applications and advertisers to access personal user information. In simple terms, the FTC’s draft complaint alleged that Facebook’s privacy practices did not match its stated policies, so that Facebook users were not accurately and meaningfully informed about the extent to which personal information would be shared by Facebook with third parties. The FTC characterized the detailed allegations as deceptive and unfair acts and practices prohibited by Section 5 of the Federal Trade Commission Act.

Announcing the settlement with the FTC, Facebook founder Mark Zuckerberg posted a blog entry in which he acknowledged that “a small number of high profile mistakes, like Beacon four years ago and poor execution as we transitioned our privacy model two years ago, have often overshadowed much of the good work we've done” to protect user’s information.

The terms of settlement include Facebook’s commitments to:

accurately represent “the extent to which it maintains the privacy or security of covered information”;
clearly and prominently disclose any changes, and to obtain affirmative express consent, prior to sharing nonpublic Facebook user information with any third party in a manner that materially exceeds the restrictions the user has chosen through privacy settings;
adopt “procedures reasonably designed to ensure that covered information cannot be accessed by any third party” no more than 30 days after the user has deleted the information or terminated the account;
establish and implement a comprehensive privacy program, reasonably designed to address privacy risks and to protect covered information, with controls and procedures that are appropriate to Facebook’s size, complexity, activities, and the sensitivity of the information it collects:
- The detailed requirements for this program incorporate elements of the FTC’s Privacy Report released December 2010, which we summarized here.
- The required privacy program also incorporates elements contained in the Personal Data Privacy and Security Act introduced earlier this year by Senator Leahy (D. Vermont). The most far-reaching of these may be the requirement that Facebook develop and use reasonable steps to use service providers (undefined) that are capable of appropriately protecting the privacy of covered information, and contractually requiring service providers to implement and maintain appropriate privacy protections as well;
maintain detailed records of compliance with these terms, and to submit to independent privacy audits every two years for twenty years to demonstrate compliance.

The settlement tracks the FTC’s recent Google Buzz settlement. However, unlike the Google settlement, the sheer magnitude of Facebook’s online presence, and the depth of its relationships with “service providers” who must also satisfy the settlement’s base line, gives the terms of Facebook’s settlement significant weight as de facto industry standards for FTC compliance.

Update: FTC Extends Comment Deadline for Children's Online Privacy Protection Act (COPPA) Rulemaking

Ronald London — Fri, 18 Nov 2011 12:53:13 -0800

As an update to our advisory FTC Proposes First Modifications to Children's Online Privacy Protection Act (COPPA) Rules Since Original Adoption in 2000, we note the Federal Trade Commission (FTC) has announced it is extending the comment-filing deadline, until December 23, 2011. The prior deadline had been November 28, 2011. The rule update proceeding seeks to examine whether and what changes may be necessary to reflect the evolution of technology and online practices, primarily, the popularity of social networking and use of smartphones to access the Internet and provide location information.

FTC Enters into Consent Decree with Skid-e-Kids for COPPA Violations

Davis Wright Tremaine — Wed, 09 Nov 2011 13:35:32 -0800

By David M. Silverman

The operator of the Skid-e-Kids website, a self-described “Facebook and MySpace for kids,” has learned that it is not enough merely to have a privacy policy that requires parental consent prior to obtaining personal information online from children under the age of 13. Such website operators must actually abide by that policy as well. The Federal Trade Commission (FTC) reinforced that lesson via an enforcement action and settlement with the company this week.

Skid-e-Kids (skidekids.com) advertises itself as “Safe, Fun and very educational.” Their target group is children ages 7-14. The Children’s Online Privacy Protection Act of 1998 (COPPA) and corresponding rule enforced by the FTC require parental consent before children under the age of 13 can be requested or required to provide personal information online.

Skid-e-Kids had a Privacy Policy that “requires child users to provide a parent’s valid email address in order to register on the website.” In practice, however, that was not the case. Children were required to provide a birth date, gender, user name, password and email address prior to using the website. Once that information was provided, the child was automatically registered on the website. Worse still, Skid-e-Kids did not even request a parent’s email address and made no attempt to notify parents or obtain parental consent.

The FTC discovered that Skid-e-Kids had collected and maintained personal information from approximately 5,600 children, apparently all without obtaining parental consent. As a result, the FTC filed a complaint against the website operator in the Northern District of Georgia, alleging violations of both COPPA, for failing to obtain parental consent for children under age 13, and of the FTC Act, for the site’s false and misleading representation that it did so.

This week, Jones O. Godwin, operator of the Skid-e-Kids website, entered into a Consent Decree, agreeing to comply with COPPA and to delete personal information obtained from children without parental consent. Godwin was also required to pay a civil penalty of $100,000, all but $1,000 of which was suspended pending compliance with COPPA and the Consent Decree for the next ten years. The Consent Decree also requires Godwin to retain an independent third party to assess the site’s compliance with COPPA for the next five years.

This case acts as a reminder that a COPPA-compliant policy is not enough. Website operators who target children under age 13 must actually obtain the necessary parental consent before proceeding to collect children’s personal information.