Privacy and Security Law Blog

Update on CAN-SPAM Complaint Mills' Tenuous Legal Posture

Ronnie London — Fri, 04 Dec 2009 13:21:23 -0800

In our entry CAN-SPAM Complaint Mills - Time For A New Business Model? pointing to our advisory on the Ninth Circuit’s decision in Gordon v. Virtumondo, Inc., we noted the court’s holding that private suits to enforce the CAN-SPAM Act are limited to bona fide Internet access service providers who genuinely suffer “adverse affects” attributable to email that violates the law, its recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.”

Yesterday, the Ninth Circuit built on that foundation, issuing its decision in Asis Internet Services v. Azoogle.com, Inc., which affirmed dismissal of a similar plaintiff’s CAN-SPAM claims, and an award of costs against it. Citing Gordon v. Virtumondo for the proposition that Asis did not meet the requirement of being adversely affected by the unsolicited emails it received, the court held “the mere cost of carrying SPAM emails over Plaintiff’s facilities does not constitute a harm as required by the statute.” It also held that while Plaintiff also spent money on email filtering, the cost of email filtering did not increase due to the emails at issue, reinforcing that “such ordinary filtering costs do not constitute a harm.” The case thus maintains the high bar to CAN-SPAM complaints set in Gordon.

Maine Privacy Law Remains On The Books, But AG Won't Enforce It

DWT — Thu, 10 Sep 2009 07:56:58 -0800

By Robert J. Driscoll

We recently blogged (here) about a new Maine law that would restrict the collection and use of personal information from minors for marketing purposes. Shortly thereafter, a coalition of educational and industry groups filed a lawsuit in the U.S. District Court in Maine, challenging the law on the basis that it violates the First Amendment and the Commerce Clause of the Constitution. On September 9, 2009, the court entered a stipulated order of dismissal. While determining that the plaintiffs had established a likelihood of success on their claims, the judge noted that the Attorney General, acknowledging the substantial legal issues raised by the new law, had committed not to enforce it. The judge also pointedly stated in the order that “third parties are on notice that a private cause of action [under the new law] could suffer from the same constitutional infirmities,” in an apparent attempt to discourage private individuals from filing a private cause of action to enforce the law. The legislature is expected to revisit the new law and to consider amendments that would address these infirmities in the upcoming session.

New Maine Privacy Law Restricts Marketing to Minors

DWT — Fri, 14 Aug 2009 11:31:09 -0800

By Robert J. Driscoll

The state of Maine recently passed a new law restricting the collection and use of health-related information and personal information of minors. We have published an advisory containing some of the details. The new law, which takes effect in September, is substantially more limiting than COPPA and will significantly impact the ability of marketers to communicate with Maine residents under age 18. Read more at www.dwt.com/LearningCenter, or click here.

CAN-SPAM Complaint Mills - Time For A New Business Model?

Ronnie London — Tue, 11 Aug 2009 10:16:00 -0800

Be sure to check out our advisory on Gordon v. Virtumundo, Inc. There, you’ll find our review of the recent 9th Circuit decision clarifying that private suits to enforce the federal CAN-SPAM Act – apart from the FTC, state attorneys general, and other state/federal agencies statutorily authorized to bring claims – are limited to bona fide Internet access service providers, who genuinely suffer “adverse affects” attributable to email that violates the law. We also discuss the 9th Circuit’s recognition of non-misleading commercial email as a legitimate marketing tool, and its concerns about a CAN-SPAM “cottage industry” that has been set up “to profit from litigation.” Read more at www.dwt.com/LearningCenter, or click here.

"Red Flag". . . or White Flag?

Ronnie London — Fri, 31 Jul 2009 08:19:35 -0800

The latest in the ongoing saga/delay with regard to the effective date for those subject to the Federal Trade Commission’s version of the Identity Theft Red Flag Rules is that the FTC has announced that the deadline by which affected businesses must comply has been extended – yet again – to November 1, 2009. This is the third extension of the compliance deadline, for which the “mandatory compliance” date was originally November 1, 2008. It was later extended – first to May 1, 2009, then to August 1, 2009, and now to November 1, 2009 – after confusion arose as to whom the rules applies and how to comply with them. This raises the question, which the FTC itself has acknowledged, of whether Congress wrote the rules too broadly.

When the FTC announced the first extension, it stated it was stepping up outreach efforts to explain the rules to the various entities to which they apply. With the second extension, the FTC released a “How-To Guide for Business” to assist those faced with complying. Meanwhile, the FTC created a dedicated Red Flags Rule website, but rejected a request by the American Medical Association for clarification that the rules do not apply to doctors, which begat consternation over whether the rules could apply to lawyers as well. With the ABA seemingly poised to take the FTC to litigation over the matter with the twice-extended compliance deadline nearly at hand, and confusion otherwise lingering generally, the FTC extended the compliance date again.

This time, the FTC stated it was extending the effective date yet again to “assist small businesses and other entities,” so that it could “redouble its efforts to educate them about … and ease compliance by providing additional resources and guidance to clarify whether businesses are covered by the Rule and what they must do to comply.” In particular, “redoubled” efforts are intended to assist small and low-risk entities who may face compliance concerns. However, if it is truly “low risk” businesses on which the FTC is focused at this point, with three extensions (now totaling one year) needed to deal with any uncertainty among such “low-risk” businesses, does that validate previously-voiced concerns from the business community that the rules are too broad? This may well be an area Congress should consider revisiting, and sooner, rather than later.

A $6 Million Reminder That FCC Still Has Work To Do On Telemarketing And Federal Preemption

Ronnie London — Tue, 21 Jul 2009 12:34:18 -0800

Last week came news that DISH Network LLC signed an Assurance of Voluntary Compliance (“AVC”) with the Attorneys General of 46 states, in which it agreed to pay nearly $6 million – plus, potentially, additional restitution – and to modify its sales practices to settle claims that it failed to follow telemarketing do-not-call laws and engaged in unfair trade practices. The agreement, which DISH executed with regulators from every state but California, Illinois, North Carolina, and Ohio, notes that among the alleged violations were failure “to comply with federal, state and/or local laws regarding telemarketing,” but denies any wrongdoing. The AVC also called for DISH to comply with such state laws going forward.

The extent to which Attorneys General leveraged their states’ telemarketing laws in the settlement, and to require future compliance, is a troubling reminder that it has been more than half a decade that the Federal Communications Commission (“FCC”) has sat on petitions, declaratory ruling requests, and other calls for it to follow through on its promise to preempt the application of state laws to interstate telemarketing if they differ from federal standards. Specifically, when it joined the Federal Trade Commission to update federal telemarketing rules in 2003, including creating of a National Do-Not-Call Registry, the FCC established certain limitations on application of state law thereafter. It said its rules implementing the Telephone Consumer Protection Act (“TCPA”), which underlie the Registry, would serve as a “floor” with respect to all interstate and intrastate telemarketing calls. That is, federal rules would govern all interstate calls, and with respect to intrastate calls, state rules that were less restrictive than their federal counterparts were preempted. And, while the TCPA allows states to impose more restrictive rules to intrastate calls, the FCC said its rules would “almost certainly” preempt the application of such laws to interstate calls. It also said that, rather than establishing blanket preemption (as with less-restrictive state laws), it would address preemption of such laws on a case-by-case basis.

In the ensuing years, in the related context of unsolicited fax ads, the TCPA’s preemption provision, which applies equally to the law’s telemarketing and fax provisions, was interpreted in accord with the FCC’s position. At the same time, multiple petitions were filed, targeting sundry state laws, asking that the FCC preempt various state telemarketing prohibitions or requirements. In other cases, trade associations asked the FCC to impose 50-state preemption with respect to certain state laws and rules. Some of these petitions have languished since 2004, or even 2003, and while the FCC has sought comment, all these matters remain pending.

The AVC that DISH has entered with all but 4 states requires it to comply with state telemarketing rules that likely were preempted by federal law. This is a significant reminder that the FCC needs to bring closure to this issue. Indeed, it is likely that many of the calls at issue in the DISH enforcement action were interstate in nature and should not have been subject to state laws that differ from the TCPA rules. The point is not that if preemption were clarified by the FCC, the issues surrounding DISH’s marketing practices would have disappeared. Nonetheless, the settlement serves as a hefty reminder that telemarketers making interstate calls still face state laws that differ from – and as the FCC has said, are “almost certainly” preempted by – federal regulations intended to unify the rules in this area and to eliminate the patchwork of state requirements and prohibitions. Perhaps, now that a new FCC installed by a new administration is poised to be at full strength, there is an opportunity to complete this last piece of long-unfinished business.

Advertising Industry Publishes Self-Regulatory Principles for Online Behavioral Data Collection

DWT — Thu, 09 Jul 2009 13:46:55 -0800

By Robert J. Driscoll, Paul Glist and Jennifer Small

On July 2, 2009, a group of advertising industry associations published the Self-Regulatory Principles for Online Behavioral Advertising (PDF)—a set of guidelines concerning the collection and use of online behavioral data by advertisers, service providers, publishers and ad networks.

The principles, drafted by the American Association of Advertising Agencies (4A’s), the Association of National Advertisers (ANA), the Direct Marketing Association (DMA), the Interactive Advertising Bureau (IAB) and the Council of Better Business Bureaus (BBB), focus on the areas that the Federal Trade Commission (FTC) has identified as desirable for industry self-regulation. The principles set forth recommended practices for providing consumers with greater control over online behavioral advertising.

These proposed self-regulatory principles arise against a backdrop of growing political and consumer awareness of privacy issues. FTC Chairman Jon Leibowitz has twice warned the industry that it is facing the “last clear chance” to avoid specific governmental regulation. The FTC has stepped up enforcement action in the area, recently proposing an order against Sears that treats formal notices of Web tracking buried in fine print as “unfair” or “deceptive” under current law.

This advisory provides a brief overview of the new principles. Businesses involved in online behavioral advertising should be aware of them and consider taking steps toward their implementation.

Of particular note is an enhancement of consumer notice and education about the collection and use of predictive profiling information, with new, easier-to-use tools for consumers to “opt out” of such collection and use by online ad networks. In addition, the principles propose more significant restrictions on service providers—specifically, Internet service providers and providers of desktop application software such as browsers and tool bars—who would be permitted to engage in the collection and use of data for online behavioral advertising purposes only on an “opt in” basis.

The principles do not address display advertising or contextual advertising; rather, they focus on advertising targeted to the user based upon data regarding that user’s activities across various Web sites, a practice that has attracted considerable political attention.

The proposed requirements are summarized briefly below.

Transparency. Online behavioral advertising will be accompanied by enhanced notice to consumers. Among other things, the principles contemplate that a uniform link or icon indicating that behavioral data is being collected will be displayed in or around behavioral ads. In addition, ad networks and other entities that collect and use data from others’ Web sites would be required to include notices of their online behavioral advertising practices on their Web sites, along with a mechanism for consumers to opt out of the collection and use of behavioral data. Service providers would also be required to provide online notices of their behavioral advertising practices, and Web sites at which behavioral data is collected would be required to display links to the ad networks’ notices.

Consumer control. The principles require entities involved in online behavioral advertising to provide users with a means of controlling the collection and use of data relating to them. Ad networks could satisfy this obligation by providing a means for consumers to opt out of such data collection and use. Service providers, on the other hand, would be prohibited from collecting or using data for online behavioral advertising purposes without securing affirmative consumer consent, i.e., by deploying an opt-in mechanism.

Data security. Data will be reasonably secured and discarded when no longer necessary to fulfill a legitimate business or law enforcement purpose. This principle extends to offer reasonable assurances that the anonymization process will prevent the re-identification of anonymized profiles.

Material changes. Consent is required for any retroactive material change in the use of collected data.

Sensitive data. Children known to be under 13 are provided additional protections, as is health and financial data. The principles note that what is “sensitive” information may change over time.

Accountability. Enforcement of the principles will be handled principally by nongovernmental bodies, perhaps analogous to the Children’s Advertising Review Unit of the Better Business Bureau with respect to children’s advertising issues. Enforcement mechanisms may include internal and third-party monitoring and self-reporting systems, and possible reports to the applicable government agencies in the event of an uncorrected violation.

Education. Participants are encouraged to educate individuals and businesses about online behavioral advertising. It has been reported that industry groups expect to conduct a large educational campaign—on the order of 500,000,000 impressions—over the next 18 months.

Currently key House members are drafting new legislation on online privacy. We expect that even if such legislation is pursued, it may still provide room for effective self-regulatory programs to operate. In the meantime, the BBB will spearhead implementation of the Self-Regulatory Principles for Online Behavioral Advertising, with an implementation program expected to be launched by early 2010.

Has The 9th Circuit Raised The Bar For Text-Message Affiliate Marketing?

Ronnie London — Wed, 24 Jun 2009 09:20:21 -0800

Did text-message advertising get more difficult after last week’s decision by the U.S. Court of Appeals for the Ninth Circuit in Satterfield v. Simon & Schuster, Inc.? Perhaps so, but not principally for reasons cited by many accounts and commentators reporting on the case.

Satterfield, the recipient of a text-message advertising a Stephen King novel sent by its publisher as part of an outsourced promo campaign, sued Simon & Schuster (and outsourcer ipsh!) under the Telephone Consumer Protection Act (“TCPA”), which prohibits (among other things) “calls” to numbers assigned to cellular and similar services sent by automatic telephone dialing system (or “ATDS”). Simon & Schuster defended on grounds the ad was not delivered by an ATDS as defined by statute, and that text messages are not “calls” as the TCPA requires. It also claimed the text fell under the law’s consent exception insofar as Satterfield received it after registering at Nextones.com (to allow her minor son to receive a free ringtone), where she agreed to terms and conditions (“T&Cs”) that included accepting on the registered cell phone promotions from the website’s affiliates and brands. Initially, Satterfield was turned aside on summary judgment when the trial court held the text was not sent by an ATDS and that Satterfield consented to its receipt (and thus did not reach arguments that text messages are not “calls” under the TCPA).

Last week, the Ninth Circuit reversed. It found, given dueling expert testimony, a material fact question that needed to be tried, as to whether the equipment that sent the text was an ATDS. It also held, based on Federal Communications Commission (“FCC”) pronouncements, and on the law’s legislative history and intent, that text messages are “calls” under the TCPA. This part of the decision became the headline in much reporting and commentary on the case, not to mention speculation about what it means to marketers. But classifying text messages to phone numbers as ATDS transmissions is hardly news – the FCC said they were over five years ago, and reiterated as much in adopting rules under the CAN-SPAM Act (which govern mobile service commercial messages to email addresses, which differ from text messages to phone numbers), so that question was never in serious doubt. Rather, the more intriguing aspect of the Ninth Circuit’s decision (in my view), which received less attention, comes in its last few pages.

There, the court rejected claims that the text-message was allowed based on consent Satterfield gave at the Nextones’ website to receiving promotions from its affiliates and brands. Rather than viewing who could be an “affiliate” of Nextones in more colloquial terms – which is the tone for which many online T&Cs and privacy policies strive to make them more consumer-friendly – the Ninth Circuit construed “affiliate” as having “independent legal significance” so as to require a corporate relationship between the entities “by shareholdings or other means of control.” Since Nextones and Simon & Schuster are not commonly controlled, the court reasoned, the publisher could not be an “affiliate” of Nextones from whom Satterfield consented to receive texted ads. The court took a similarly narrow view of “brands,” holding they are “commonly defined” as “goods identified as being … of a single firm,” so since the text message advertised a product of Simon & Schuster, not Nextones, consent did not exist on this basis, either.

The decision thus begs the question how a company’s website (and other peripheral materials) must identify third-parties who may market to the company’s consumers, in order for consent, such as that contemplated by the TCPA, to encompass third parties. If describing them as “affiliates” will not suffice – and, one would think, the prospect exists of courts like the Ninth Circuit imposing legally-specific definitions on, or finding equally insufficient otherwise, other commonly used colloquialisms such as “partners,” “clients” or “co-marketers” – how are companies to describe such third-party marketers in a way that is both understandable and succinct, while still being meaningful to consumers? That, I believe, is among the principal challenges facing marketers in the wake of the Ninth Circuit’s Satterfield decision.

We're Baaaaaaack.

Lance Koonce — Tue, 02 Jun 2009 11:48:59 -0800

Those of you who were once frequent visitors to this blog may, by now, be asking one or more of the following questions:

(a) Why haven’t you guys posted anything for so many months?
(b) Why does the site look different?
(c) Who’s going to win the NBA playoffs?
(d) Why did they cancel My Name is Earl?

Well, the first two at least. The truth is that this blog was started in August 2005, and ran steadily (sometimes more steadily than others) for about three years. As blogs go, that’s a fairly distinguished record – there are more abandoned blogs lining the sides of the Information Superhighway than there are hubcaps along the Cross Bronx. Wait, did we actually just use the phrase “Information Superhighway”? Because that is so 2005. As is that phrase we just used.

So anyway, when our firm decided to revamp its website, we took this as an opportunity to think seriously (read: discuss over drinks) what we wanted to accomplish with this blog, and what we needed to do to keep it fresh and relevant. The process has taken a bit longer than we expected, but here’s where we are:

Rather than a long list of bloggers, you will be getting regular updates from just five of us – and henceforth there will be no more posts in this annoying third-person, royal we, voice. We may have some guest bloggers on occasion, but for the most part you can level any criticisms at the following:

Bruce Johnson, our Burgermeister-Meisterburger, who will be blogging on the topic of Personal Communications (blogging, employee/employer relations, etc.)

Randy Gainer, who will be captivating you with stories about the Government Surveillance (ECPA/CFAA, CALEA, REAL ID/travel issues, etc.)

Charlene Brownlee, who is by far the most stylish among us (and who will be blogging on the subject of Data Breaches and identity-theft laws)

Ronald London, who will endeavor to keep an eye on Congress and will be blogging about telemarketing, junk fax, CAN-SPAM, behavioral/advanced advertising, and CPNI (which we’ll call Marketing and Consumer Privacy)

Lance Koonce, who will try not to mangle any stories about Online Threats such as hacking, phishing, pharming, pretexting, malware/spyware, and offline versions such as dumpster diving and the theft/loss of data-containing devices.

We do not purport to be a source for all news that touches on privacy and security – the field has exploded and aggregating such information would be a full-time career. Rather, we hope to tease out interesting aspects of specific issues within our areas of coverage. We hope you’ll take a look, and keep coming back if what you see intrigues you.

Thanks,

The PrivSecBlog Team

And by the way:

The Lakers.
Ratings. And possibly bad karma.

FTC "Reminder" About ID Theft Red Flag Compliance

DWT — Wed, 16 Jul 2008 12:50:58 -0800

Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November 2008 compliance deadline. The FTC's notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.

The Identity Theft Red Flag Rules were jointly adopted last year by the FTC and five other federal agencies (the Office of the Comptroller of the Currency, the Board of Governors of the Federal Reserve System, the Federal Deposit Insurance Corporation, the Office of Thrift Supervision, and the National Credit Union Administration) pursuant to the Fair and Accurate Credit Transaction Act of 2003. Under the rules, financial institutions and “creditors” with “covered accounts” must have identity theft prevention programs in place and operating by November 1, 2008. The programs must identify, detect and respond to patterns, practices or specific activities that could indicate an account holder has been the victim of — or is engaged in — identity theft.

As explained in the DWT advisory, all types of financial institutions and most electronic service providers (including video, Internet and voice service providers) will have “covered accounts” governed by these new rules and therefore must have designed, implemented and begun operating an internal system to detect and combat identity theft no later than November 1, 2008. The advisory provides the relevant definitions and other triggering terms in the rules, and an overview of what they require.

Malware Cited as the Cause of Massive Supermarket Data Breach

DWT — Mon, 14 Apr 2008 14:50:19 -0800

By Hozaifa Cassubhai

A massive data breach at an East coast supermarket chain compromised up to 4.2 million credit and debit cards earlier in March, leading to 1,800 cases of fraud arising as far away as Mexico, Italy and Bulgaria. Recently, the Hannaford Bros. grocery chain announced the cause of that breach: unauthorized software secretly installed on servers that intercepted data from customers as they paid with plastic at checkout counters.

While the precise source of the malicious software remains under investigation, the Scarborough, Maine-based grocer confirmed that Massachusetts regulators had been informed of the link between the breach and the malware, which polluted nearly all of the company’s 271 stores’ servers. The U.S. Secret Service has confirmed that it is helping investigate the crime, although the scope of its involvement is unclear.

The Hannaford breach is unique to the extent that credit card numbers were stolen while the information was in transit, or at the point of sale. This represents a new more sophisticated line of attack, exposing the vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research.

The method contrasts with the usual mode of attack, which targets data sitting in databases, as was the ca se in the record-setting theft of information from Massachusetts-based TJX Cos in 2005 and 2006. That breach compromised 45.7 million accounts of customers of T.J. Maxx and Marshalls stores and now forms the basis of a pending federal consumer lawsuit in Boston.

Hannaford states that its breach occurred between Dec. 7, 2007 and March 10, 2008, but notes that while the breach was ongoing, the company was found to be in compliance with the relevant industry security standards. “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement on March 17. “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

Some State Data Encryption Requirements More Effective than Others

DWT — Wed, 27 Feb 2008 07:59:22 -0800

Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

The Nevada statute, NRS 597.970 (effective October 1, 2008), requires each business in Nevada to encrypt customers’ personal information when it is transmitted outside the business’ secure network. See Charlene Brownlee, “Nevada passes first law requiring business to encrypt customer personal information during transmission” (October 19, 2007). The Nevada statute does not require businesses to encrypt consumers’ personal information while it is being stored on the businesses’ servers, laptops, or backup tapes. It’s much more likely, however, that thieves will steal and business will lose large amounts of stored consumer data than it is that data in transit will be stolen or lost. For that reason, the overwhelming majority of reports of stolen and lost consumer data relate to stored data, not data in transit. See, e.g., Chronology of Data Breaches. The limited, data-in-transit, encryption mandate in the Nevada statute will therefore do little to stem the tide of stolen and lost consumer data.

Unlike the Nevada statute, Michigan Senate Bill No. 1022 would require businesses to encrypt stored consumer data. The Michigan bill would, among other things, amend the state’s “Identity Theft Protection Act,” MCL 445.71-.72, by prohibiting the following conduct:

(e) If the person collects personal identifying information in the regular course of business and stores that information in a computerized database, failing or neglecting to store that information in the database in an encrypted form, in conformity with current industry-standard encryption methods and capabilities.

This prohibition would make it unlawful to fail to encrypt consumers’ personal information stored in digital form and to fail to use “industry-standard encryption methods and capabilities.” The latter prohibition should prevent businesses from deploying out-of-date encryption programs and from using deficient encryption procedures. It is important that businesses be required not only to encrypt stored data but to do so competently. See, e.g., Mike Chapple “Lessons Learned from TJX: Best Practices for Enterprise Wireless Encryption” (December19, 2007) (reporting that the data theft of payment card data at TJX has been linked to the company’s use of the flawed WEP encryption program and to other errors).

The proposed Michigan statute also includes, at section 16, authorization for financial institutions to bring civil actions for card replacement and other costs against persons who maintain computerized databases that contain personal information if a security breach of the database occurs. Section 16 of the Michigan bill is similar to Minn. Stat. 365E.64, which was adopted last year. See Randy Gainer, “State Laws to Shift Some Data Breach Costs to Businesses with Weak Security” (May 25, 2007).

Two bills pending in the Washington State legislature, Substitute House Bill 2838 and Senate Bill 6425, would also authorize financial institutions to recover such costs from persons who must disclose data breaches. See section 1 of Sub. HB 2838 and section 6 of SB 6425.

Section 4 of pending Washington SB 6425 would also require businesses that collect or store computerized personal information in connection with payment cards to “comply with payment card industry data security standards established by the PCI security standards council.” Requirement 3.4 of the current version of the PCI Data Security Standard (PCI DSS) mandates that the primary account number of payment cards must be protected while in storage by encryption, hash indexes, truncation, or index tokens and pads. Requirement 4 of the PCI DSS mandates that card information be encrypted when it is transmitted over easily accessible networks. Proposed Washington SB 6425 would, therefore, effectively require encryption for payment card data in transit and require either encryption or other data-masking measures for payment card primary account numbers while they are in storage.

If enacted, Michigan SB 1022 and Washington SB 6425 will require businesses that collect digital personal information to take effective steps to protect the information. While the PCI DSS already requires such measures for payment card data, both bills would enact the requirements into law and the Michigan bill would extend such protections to all digital personal information.

Privacy Coalition Requests FTC to Probe Ask.com; In Response, Ask.com and its Allies Cry Foul

DWT — Tue, 12 Feb 2008 10:12:22 -0800

Posted by Hozaifa Cassubhai

The election season may be in full swing, and the buzz about the recent Superbowl at full throttle, but heated debates and bravado are not just limited these days to politicians and athletes. Recently, search engine vendor Ask.com and its supporters have come out swinging against several privacy groups over a complaint they recently filed that requested the Feds to forcibly pull the plug on a new feature called AskEraser. As Nicholas Graham, a spokesman for Ask.com stated: [The complaint] merits a 15-yard penalty for unsportsmanlike conduct.

The complaint was filed on January 19th by a consumer privacy coalition, which included the Electronic Privacy Information Center and Consumer Action. The coalition alleged that Ask.com collected user information and retained user data in contrast to the representations it made about its AskEraser Service. Such misrepresentations, the coalition contended, violated Section 5 of the Federal Trade Commission Act, 15 U.S.C. 45(a), in that it was an unfair and deceptive trade practice.

Immediately thereafter, the Center for Democracy and Technology (CDT), a Washington-based think thank, voiced its support for Ask.com by sending a letter to the Federal Trade Commission urging it to dismiss the complaint as "unfounded." In the letter, CDT defended Ask.com, stating that it "had proactively addressed or is in the process of addressing the concerns previously raised by the petitioners that are within [its] control. "

At time of launch, AskEraser aspired to let users ask for their search activity data not to be retained on the company’s servors. Ask.com claimed that when enabled by a user, AskEraser would completely erase search activity data from the system, including IP addresses, user IDs, session IDs and the text of all queries.

But the coalition claims that Ask.com's proclaimed aspiration and implementation were deceptive. It claimed that while Ask.com portrayed itself to be "serious about privacy" and "committed to meeting and exceeding emerging privacy trends," it failed to prevent or regulate the collection and use of user Ask.com searches by third-party advertising companies. The only way for a user to prevent such collection would be to visit each third-party site and disable cookies on those individual Websites. On a related vein, in order to enable AskEraser, users first needed to accept an opt-out cookie, which, in itself, was a persistent unique identifier. Plus, the coalition argued, Ask.com reserves the right to retain user search data in case of a court order without informing users.

Those opposing the complaint claim that the coalition is being overzealous. While not perfect, the AskEraser service was an effort worth applauding, they claim. Graham said that the complainants and Ask.com had been in a "constructive dialogue," and that the allegations were based on outdated information. For instance, the lifetime of the opt-out cookie has been changed to 30 years, a change that has been publicly posted on the search engine' website. Concsequently, there is no way for Ask.com to uniquely identify anyone, Graham contends.

The debate, for now, will continue in court . . .

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

DWT — Fri, 25 Jan 2008 06:03:17 -0800

Posted by Ronald London

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Significantly, the FTC pursued Life is Good based not on allegations that it violated any privacy- or financial-services-specific law or regulation (such as the FTC’s Financial Privacy or Safeguards rules), but rather under the agency's generic unfair-trade-practices authority, to proceed on a theory that the company made representations to the public in the course of soliciting and entering commercial transactions, then failed to honor its representations. According to the FTC's press release, Life is good collected sensitive consumer information including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes, pursuant to a privacy policy that claimed: “We are committed to maintaining our customers' privacy. We collect and store information you share with us - name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.” The FTC alleged that Life is good failed to honor this commitment because it:
• unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes
• failed to assess the vulnerability of its website and computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks
• failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks
• failed to use readily available security measures to monitor and control connections from the network to the Internet
• failed to employ reasonable measures to detect unauthorized access to credit card information

The consent decree has the standard provision that the company will no longer violate the FTC Act, but in addition, the above-referenced "comprehensive information-security program" that Life is good must institute requires administrative, technical, and physical safeguards tailored to the size of Life is good as a commercial entity, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the consent decree mandates an information-security program that includes:
• designation of an employee or employees to coordinate the information security program
• identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place
• creation and implementation of safeguards to control the risks identified in the risk assessment
• monitoring the safeguards' effectiveness
• development of reasonable steps to select and oversee service providers that handle personal information of Life is good customers.
• evaluation and adjustment of the program to reflect the results of monitoring, material changes to the company’s operations, or "other circumstances" that may effect program efficacy
• bookkeeping and record-keeping to facilitate FTC monitoring of compliance with the consent decree
Further, the above-noted independent, third-party security auditor that Life is good must employ biennially for the next 20 years, will be required to certify the security program meets or exceeds the requirements of the consent decree, and is operating with sufficient effectiveness to provide reasonable assurance of the security of consumers’ personal information.

While the duration and reach of the information-security program’s terms mandated by the consent decree may be heightened in part as a result of Life is good having been open to a hacker’s attack that resulted in a compromise of consumers’ sensitive data, the basic framework suggests what security measures the FTC believes most companies should have in place. It indicates that, in general terms, a company should have an employee (or, if necessary, several employees) charged with oversight of securing the sensitive personal information the company collects, routine information-security risk assessments and establishment of safeguards against identified risks, and monitoring, bookkeeping and record-keeping that demonstrates the functioning and efficacy of the program. In addition, it appears the FTC expects companies take at least reasonable steps to ensure that third parties with which a company shares its sensitive information, have in place sufficient measures to ensure that nay sensitive data that is shared will be secure upon receipt by the third party.

The FTC’s announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs to ensure they are meeting at least the minimum steps the FTC appears to expect. The FTC’s Protecting Personal Information: A Guide for Businesses is a good resource in this regard as well.

California Breach Disclosure Law Now Covers Medical Records

DWT — Thu, 10 Jan 2008 11:16:32 -0800

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.

AB 1298 amends several existing privacy laws (Civil Code §§ 56.06, 1785.11.2, 1798.29, and 1798.82):

It applies prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information for treatment or diagnosis.
It permits a consumer reporting agency, regardless of the existence of a security freeze, to disclose public record information lawfully obtained from an open public record to the extent otherwise permitted by law. This provision stems from a recent court decision which threatens to eliminate the "freeze access" law in California without this change. These provisions do not prohibit the consumer reporting agency from electing to apply a valid security freeze to the entire contents of a credit report.
It adds “medical information” and “health insurance” information to the definition of “personal information” that, if acquired by an unauthorized person, would require notification of the security breach.
- “Medical Information” is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.”
- “Health Insurance Information” is defined as “an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.”
AB 1298 adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the California breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered.
It is important to note that these new provisions are not limited to health care providers, but may affect any employer or other entity with computerized employee benefits or other health data.

Record Number of Data Breaches Reported in 2007, But Optimism Reigns

DWT — Wed, 09 Jan 2008 11:29:56 -0800

Posted by Hozaifa Cassubhai

The number of publicly reported data breaches in the United States rose by more than 40 percent in 2007, according to the Identity Theft Resource Center (ITRC), and it appears Microsoft, among others, is taking steps in response.

In its December 31 report, the ITRC cited 446 breaches in 2007. Those breaches resulted in the exposure of approximately 127 million data records. In comparison, the consumer rights advocacy group identified 312 publicized breaches in 2006 affecting nearly 20 million records.

By category, the 2007 breaches break down as follows: 28.9% from general businesses; 24.9% from educational institutions; 24.7% from government/military agencies; 14.6% from health care facilities/companies; and 7% from banking/credit/financial services entities.

While 2007 may be worst on record from a statistical perspective, ITRC founder Linda Foley cautioned that the current increases in data theft do not exclusively reflect a rise in data thievery, but also the fact that more data breaches are being reported to the public than ever before. This is presumably so, in part, because of mandatory reporting laws that govern organizations in 39 states and the District of Columbia. Foley also noted that regulated industries like healthcare and finance reported far fewer breaches than those less structured, indicating a trend that as data breach awareness goes up, the actual number of breaches will go down. Also, of the 127 million exposed customer records in 2007, 94 million came from the TJ Maxx breach.

That said, ITRC predicts that the numbers will rise even further in 2008. It is perhaps for that reason that Microsoft recently launched a security blog that explains the vulnerability research behind the patches and security updates the company releases each month. Through bi-weekly updates, the Security Vulnerability Research and Defense blog provides in-depth technical information and ways security professionals can protect an organization from vulnerabilities.

“We’re going to share as much [] information as possible here because we believe that helping you understand vulnerabilities, workarounds, and mitigations will help you more effectively secure your organization,” Microsoft stated in the first posting.

Report on the FTC's Conference on "Ehavioral Advertising"

DWT — Tue, 18 Dec 2007 08:58:04 -0800

Posted by K.C. Halm, Ronald London, Razeeb Hossain, and Anne Shelby

In early November the FTC held a series of roundtables and panels to discuss emerging issues in behavioral advertising. The FTC has posted transcripts, videos, the workshop agenda and a list of all participants on its website, found here.

Common discussion themes throughout the two-day workshop included the contradiction between consumers' failure to protect their personal information despite their stated concern with privacy; the perceived need for greater transparency in privacy policies, especially with respect to providing more detailed descriptions of data use; the disagreement between the infor-mation industry and consumer groups as to the efficacy of private sector self-regulation; debate over the best methods to inform consumers of their privacy choices; and concern over the coming use of developing technologies for data collection, use and disclosure.

A detailed discussion of the sessions follows below.

Session 2: Behavioral Advertising Today: Understanding the Business and Technology

After a brief introductory “Overview of Behavioral Advertising” that served as Session 1, Dave Morgan of TACODA, Inc. argued that behavioral advertising represents the onset of a period of advertising where consumers receive ads intended to be more “relevant” to their interests and needs. In other words, consumers receive fewer, but better tailored contacts, because advertisers can offer focused, well-targeted ads. He suggested that innovations in behavioral advertising protect privacy by providing more tools and greater privacy choices, and noted that because consumers have greater privacy controls they are driving the market for online service and retailers engaged in behavioral advertising must heed these consumer preferences. Michael Walrath, of Yahoo!, discussed the benefits of behavioral advertising, suggesting that behavioral advertising does nothing more than allow Yahoo to know their customers – a common objective of all marketing activity.

Google’s Tim Armstrong asserted that the behavioral advertising business model revolves around the establishment of consumer trust. Retailers can not employ these advertising tools if the customers do not trust the retailer’s business practices. He argued that, because this is a very competitive business environment, there is a significant amount of consumer choice, and consumers can walk away from the advertising at any time (simply by discontinuing use of certain services). An advertising firm operating in Europe, Net Mining, discussed its practices operating within the EU’s current privacy directives and how they differ from most US-based companies’ approaches. The impact of the EU directives on the behavioral advertising business model include limitations on cookie profiling of online visitors (must be anonymous), limits on site specific score-based advertising (again, must be anonymous), and ensuring that behavior driven interactions are appropriately scrubbed to ensure anonymity.

Pam Horan, of the Online Publishers Association, argued that behavioral advertising enhances user experience by offering targeted advertising that the user values more than ads not relevant to the user’s interests. She suggested there is a “value exchange” between advertisers and consumers because these practices provide revenue sources for the online publishers, thereby making available the content and services offered through web sites provided by online publishers. Ralph Terkowitz, a General Partner at ABS Capital Partners, asserted that economic incentives for behavioral advertising are different from traditional marketing because the means of delivery of such ads (over the Internet) has dramatically reduced, if not eliminated, the costs of delivering the ads. Finally, to conclude this session, Oregon State University’s Carlos Jensen offered evidence that the use of online tracking tools, including web bugs and cookies, is increasing dramatically in the U.S., but actually decreasing in Europe. Although the implications of these findings were not clear, Jensen seemed to suggest that online commerce in Europe continues to develop at the same pace as commerce in the U.S., and that use of behavioral advertising techniques is therefore not essential to continued development of innovative and commercially valuable applications and content.

Session 3: Consumer Survey Data

In this session, George Milne, an Associate Professor of Marketing at the University of Massachusetts-Amherst, reported on a survey of consumers, marketing managers and direct marketers who were asked whether they wanted to allow information gathering technologies to gather information, and if so, whether they preferred opt-in procedures, opt-out procedures, or no permission tools at all. The survey revealed that most consumers want to control the technologies used by marketers (45% did not want to allow use of the technologies and nearly 35% wanted an opt-in framework). Consumers expressed greater concerns with new technologies than those that were more familiar. Generally speaking, consumers did not want to allow information gathering technologies while marketing managers preferred the opt-in option, and direct marketers preferred the opt-out option.

Larry Ponemon then reported that 8% of the population is “privacy-centric,” meaning they care deeply about privacy, 72% are “privacy-sensitive,” meaning that they care about privacy but not to the extent that it changes their behavior, and 20% (generally younger people) are “privacy complacent,” meaning they do not care about the sharing or selling of their private information. Consumers associate negative connotations with the word “cookie,” especially in a privacy policy, although the greater the consumer’s knowledge of cookies, the less negative the perception and the more likely a consumer is to opt-in. Mr. Ponemon summarized that (1) consumers want to have more control over their personal information, although an online ad that targets their preferences improves their online experience; (2) consumers do not want to pay for “free” Internet content or services; and (3) cookie deletion is declining, which may mean that consumers are more complacent.

Session 4: Data Collection, Use and Protection

This session allowed company representatives to express concerns about consumer privacy and to discuss how their firms build privacy protections into their respective architectures. They described ongoing internal reviews of their systems that are performed to maximize consumer privacy protections.

A representative of the U.S. Public Interest Research Group said that, nevertheless, serious problems persist for consumers when they go online, and added that consumers reveal much more information about themselves online than they realize, and much more than they would in the real world. Consumers need to realize that every bit of information gathered about them has value. They should know what information is collected and what happens to that data. A representative from the Office of Privacy Commissioner in Canada noted that unlike the U.S. in the E.U. and Canada the government supervises the collection and use of data. Panelists noted that while it is more trouble to anonymize data, it certainly can be done. The increasing ability to collect personal information in real-time makes consumer control of data even more important.

In response to audience questions, the panelists emphasized the need for transparency, stating that the information collection industry needs to be clearer with people about what companies are doing with their data.

Session 5: Roundtable Discussion of Data Collection, Use and Protection

During the roundtable, a variety of companies and other entities defended their information practices while others pointed out weaknesses in overall practices, emphasizing a common consumer view that companies fail to provide clarity (a.k.a. “transparency”) with respect to information practices.

Participants shared concerns about teens’ social networking. Observers assert that teens do not know that everything they say or do on social networking sites is available to marketers. Panelists felt that rules are needed on access to teens’ information and privacy disclosures to kids, and that teens do not understand behavioral targeting. Facebook noted that information is not being sold but this does not mean the information is not being collected. Panelists opined that people below age 25, especially those below age 18, believe anonymity is a substitute for privacy. Many panelists believed teens do not even think of privacy when they are on Facebook. (Since then, the flap over Facebook’s privacy practices and its Beacon program shows that that many young people are in fact concerned with privacy.)

Some participants believe that no one reads privacy notices, so to say that a site has a good, clear privacy policy is meaningless. Many felt that a better way to educate consumers needs to be developed.

The session also revealed that, among companies and consumers, considerable difference of opinion exists as to who owns personally identifiable information (“PII”). Some stated that a major issue – if not the major issue – is data security, pointing to concerns about misuse of data when it falls into the wrong hands.

Session 6: Disclosures to Consumers

This session focused on privacy policies and similar statements of companies’ online practices concerning user data. The session also addressed the generation of targeted advertising and the efficacy of such industry efforts. Lorrie Faith Cranor, an Associate Research Professor at Carnegie Mellon, began the session with a short presentation exploring the disconnect between consumers’ statements that protecting their privacy online and in related contexts is important notwithstanding their lack of effort to avail themselves of available tools to safeguard their privacy. Ms. Cranor offered two main explanations for this contradiction: first, that some consumers do not appreciate the impact of some of their online behavior on their privacy, and second, the direct and indirect costs of taking privacy-protecting steps are too high. She also cited studies that show that privacy policies tend to be too difficult to understand, in part because they require college-level reading skill, and in part because they contain too much “legalese.” Research indicates that consumers dislike even well-written privacy policies which can have little utility due to consumers’ low comprehension. Research indicated that consumers tend to place greater trust in longer written policies based on their often-misplaced belief that those policies are more privacy-protective.

The session also included open panel and question-and-answer discussions that focused heavily on policy rather than regulatory concerns. The conversation examined practices and still-developing plans of specific major online entities represented on the panel. Panelists agreed that consumers place a premium on companies’ transparency practices and the degree of consumer data control. There appeared to be substantial support for a model wherein the more intensive the use of a consumer’s PII, the more frequently consumers should receive a concomitant opportunity to opt out, presented in an obtrusive manner. Examples included reminder pop-ups associated with the Google toolbar, and eBay’s recently launched initiative to “tag” ads, provide pop-up with its ad policy, and continuously provide links such as “why am I receiving this” with the ads.

Extended discussion ensued regarding methods to get consumers to read and appreciate posted privacy policies, though there was also a recognition that there is only so much companies can do to “force” consumers to take an interest and act on it. Moreover, there was debate about what the right metric should be for a privacy policy’s efficacy, i.e., whether users actually take the time to read it, or whether specific information is available when a consumer wants to find it.

Some panelists suggested that some common privacy messages are not useful for consumers, including the phrase that a website “shares your information with certain trusted third parties.” This statement tells consumers nothing about who is receiving their information, what they are using it for, whether it is being combined with other information and the origin thereof, or what the third parties have done to be deemed “trusted.” As an overarching matter, however, most agreed there must be a way for consumers to identify and track their “digital identity” across multiple online (and offline) environments. The panel discussed the prospects that government regulation of privacy standards and notices might be worth examining. A number of panelists agreed that the market is leading to development of private self-regulatory initiatives.

Regarding specific practices, panelists agreed that reaching a consensus on symbols and messages across websites would help increase transparency (e.g., having an icon attached to ads that stands for “ad” and associating the ad with a pop-up or pop-under with information about how the ad relates to the PII collected). Conversely, consumer advocates suggested more robust links with messages like “click here to learn more about how your personal information is used by this website” rather than, for example, simply “privacy policy” or “learn more.” Industry panelists were lukewarm to the idea. They stressed that online, “every pixel counts,” whether it is maximizing revenue, communicating information, or just presenting white space to enhance the readability and overall impact of a site.

Session 8: The Regulatory and Self-Regulatory Landscape

This session demonstrated that companies believe the industry as a whole is doing an excellent job protecting consumer privacy, and that many believe the Network Advertising Initiative (“NAI”) plays a useful, if voluntary, role in creating best practices for the industry. Consumer groups, on the other hand, believe the NAI and its opt-out cookie are not working, that technology has passed-by the NAI, and that the industry is not effectively self-regulating. Advocacy groups describe consumers as generally unsophisticated and in need of education on the ways companies track and target them.

Panelists discussed the do-not-track model as an alternative to the current practice of notice and choice, but some companies thought it might be technologically challenging to implement. Consumer groups liked the idea of having one place a consumer can visit to avoid being tracked, although as proposed, some thought it put too great a burden on the consumer. Until the very end, when one speaker said that consumers need enforceable rights, there was really no suggestion that the government needed to step in to create a more consumer-friendly environment beyond the current industry self-regulation, even if that self-regulation may be less than perfect.

Session 9: Roundtable on the Future of Behavioral Advertising

The final session centered on the tracking and profiling of consumers: how they are tracked, who is tracking them, and what the business and legal consequences could be.

Katherine Albrecht, Director of CASPIAN, spoke about the future of Radio Frequency Identification (“RFID”) tags. RFIDs are likely to increase in both number and sophistication. She posited that soon a company may be able to identify all of the items inside of a purse, when and where each item was purchased, and who owns the purse – all through RFID tags. This level of tracking may have negative implications for consumers, many of whom do not know what RFID tags are. One possible negative consequence is price discrimination against consumers whose purchasing behavior makes them less profitable than others.

Jules Polonetsky, Chief Privacy Officer from AOL, spoke about the future of cookies as identifiers of consumer behavior. He said that while cookies are useful for advertising, they are not as useful for data collection or tracking. Many cookies are blocked by anti-spyware programs, and others are removed by people who are proficient with browser controls. Mobile devices, where many people think the future of behavioral advertising lies, do not yet have cookies, in part because the devices are not “granular” enough, but likely will support cookies in the near future. This means that, for now, it is not easy to pinpoint a mobile’s location within a small area beyond using the location-tracking abilities (for enhanced 911 purposes) that the devices already feature.

Alissa Cooper of the Center for Democracy and Technology noted that ISPs are in a commanding position to gather, use and market data reflecting online behavior but doing so will create a complicated set of issues. Another panelist said that while consent and notice issues between consumers and websites are complex, issues between consumers and ISPs are even more complex. This is because unlike ad networks, ISPs’ documenting and analyzing of data that flows through their systems may violate wiretap laws. Panelists noted that content-based wiretapping laws may apply when ISPs monitor e-mail, but this may not be the case when the ISPs collect internet protocol (“IP”) addresses.

Some presenters argued that end users are often sophisticated, and prefer to choose their level of privacy protection. For example, in social networking sites such as Facebook, users can choose to provide information about themselves to anyone on the site, or they can choose to restrict the information to only those users they permit to see it.

Beware the Flirtbot

DWT — Wed, 12 Dec 2007 14:16:12 -0800

Posted by Brian Kennan

Ever since the computer was invented, people have wondered when such machines would be able to think. In 1950, mathematician Alan Turing suggested a simple test for computer intelligence: if a computer can fool a human being into thinking it is also human, said Turing, the machine should be considered intelligent.

Turing died in 1954 but must have rolled over in his grave last week when the Turing test's reputation hit a new low: security analysts discovered a "sex chat" computer program so lifelike it was fooling customers into disclosing their personal data.The program is called "CyberLover" and exploits a technique long known to security researchers as "social engineering," a fancy term for manipulating users into disclosing information. What's new with this con is that the one doing the social engineering is a computer program. And a hard working one. According to Ina Fried, citing a report from PC Tools, CyberLover "can work quickly, too, establishing up to 10 relationships in 30 minutes.... It compiles a report on every person it meets complete with name, contact information, and photos."

Of course, the user must volunteer this information, which raises another intriguing question: Are users that are naive enough to give out personal information to a computer sex-chat program able to pass the Turing test themselves?

FTC Announces "Crackdown" on Do-Not-Call Violators

DWT — Wed, 05 Dec 2007 08:23:35 -0800

Posted by Ronald G. London

The Federal Trade Commission recently announced that as a result of a new crackdown by the agency on violations of the National Do-Not-Call Registry (“NDNCR”) and related provisions of the FTC’s Telemarketing Sales Rule (“TSR”), it entered several consent decrees with multiple companies totaling $7.7 million in civil penalties, with one complaint still outstanding. The FTC brought the enforcement actions against Craftmatic (purveyor of adjustable beds and mobility assistance scooters) and affiliated entities through which it conducts telemarketing, ADT for TSR-violative actions by authorized third-party dealers of its security systems, Ameriquest Mortgage Company, Guardian Communications and its prerecorded call vendor U.S. Voice Broadcasting, and Global Mortgage Funding. Each of the first four companies and their affiliated entities entered consent decrees with the government and agreed to pay substantial civil penalties (amounts provided below) and to injunctive relief prohibiting them from engaging in similar violations in the future, while the FTC’s complaint for civil penalties and injunctive relief against Global was to be filed.

The thrust of the FTC’s complaints are as follows:

For Craftmatic, which agreed to pay a $4.4 million civil penalty, the second highest NDNCR fine ever, its attempt to use sweepstakes to create an established business relationship and/or obtain prior express consent to future telemarketing calls was insufficient to permit calls to the sweepstakes entrants who were on the NDNCR, and the FTC further alleged violations of its rule against “abandoned” telemarketing calls (i.e., those that connect to a consumer but disconnect before a live sales agent comes on the line), and that Craftmatic failed to honor company-specific do-not-call requests.

With respect to ADT, which agreed to pay a $2 million civil penalty, the FTC made allegations similar to those it made in brokering a $5.3 million settlement with DirecTV in 2005 -- that is, the company failed to exercise sufficient control over authorized third-party dealers selling its services through (among other means) telemarketing to numbers on the NDNCR, which in ADT’s case, were Alarm King and Direct Security services, who respectively agreed to pay $20,000 and $25,000 civil penalties. In addition, ADT’s consent decree required it, like DirecTV, to adopt a compliance program with detailed monitoring, record-keeping, and reporting requirements.

The complaint and consent decree for Ameriquest are somewhat opaque in alleging that it placed calls to numbers listed on the NDNCR and to consumers who had made company-specific do-not-call requests to Ameriquest, which agreed to pay a $1 million civil penalty. However, the FTC’s press release provides slightly more detail, basically that Ameriquest improperly relied on third-party lead-generators for TSR compliance, as has been the case with other telemarketers with whom the FTC has settled alleged telemarketing violations.

For Guardian Communications and U.S. Voice Broadcasting, which agreed to a judgment in the amount of nearly $7.9 million with all but $150,000 suspended due to inability to pay, the violations arose out of prerecorded messages, all of which the FTC treated as abandoned calls, while further alleging that Guardian failed to provide proper caller ID information and placed calls on behalf of entities that were required to pay NDNCR fees but had not done so.

The Global Mortgage complaint contains bare allegations that it placed calls to numbers on the NDNCR, without paying NDNCR fees, that it abandoned calls, and that it failed to transmit caller IDs. As noted, there is no consent decree for Global (and, moreover, the complaint recites that it filed Chapter 7 bankruptcy last year), so there are fewer details about this enforcement action than there are about those above.

There are a number of compliance lessons that can be taken from the complaints and consent decrees. Each is well worth reviewing for an understanding of what, precisely, the settling company was accused of doing, and how that differed from what the FTC expects with respect to telemarketing compliance.

So How Many Health Care Privacy Laws Do We Need?

DWT — Wed, 28 Nov 2007 15:52:42 -0800

Posted by Tom Jeffry

Last week, under pressure from privacy rights activists, Vermont Senator Patrick Leahy introduced an amendment to the Wired for Health Care Quality Act [S.1693]. Until then, this bill was nurtured along by proponents of health information networks and was poised to be “hotlined” for unanimous consent without debate in Congress.

The proposed amendment uses language familiar to those of you who have read HIPAA. Terms such as “protected health information” and “notice of privacy practices” appear in both the HIPAA regulations and the proposed amendment. However, the definitions are dramatically different. For example, the proposed amendment to S. 1693 includes genetic and biometric information in the definition of protected health information and expands it to information collected or used by health researchers, schools and universities, and employers. The scope of HIPAA was limited to those traditionally engaged in the delivery of health care such as providers and payers.When HIPAA was being considered by Congress, the debate over the appropriate level of privacy protections threatened to derail the legislation. The solution then was to punt the process of establishing privacy and security standards for health care to the administrative rulemaking process of the Department of Health and Human Services. Deja vu . . . with the introduction of this amendment we are back to privacy concerns threatening legislation that has bi-partisan support to advance health care technology and potentially improve the quality and efficiency of the delivery of health care.

Of course, there is no requirement that the federal laws and regulations of our nation be consistent, avoid duplication, or otherwise articulate a uniform policy or approach. As a lawyer, I suppose I should be grateful for that. Nevertheless, rather than appending the bill intended to develop health information networks with privacy provisions that duplicate and/or contradict the HIPAA regulations, the more rational approach would be to address privacy concerns in an amendment to HIPAA and extend the application of HIPAA to health information networks.

There are some privacy provisions unique to the concerns of information available and shared through a health information network that are appropriate to retain in the legislation and proposed amendment. Mandatory notification of security breaches to the network and opt-out rights are specific privacy and security safeguards for the storage and exchange of electronic health records in such networks and addressed in the S. 1693 proposed amendment.