Secure Times Spring 2010

1,158
-1

Published on

Analysis of the legal and policy issues around geolocation and location-aware apps and services.

0 Comments
1 Like
Statistics
Notes
  • Be the first to comment

No Downloads
Views
Total Views
1,158
On Slideshare
0
From Embeds
0
Number of Embeds
1
Actions
Shares
0
Downloads
5
Comments
0
Likes
1
Embeds 0
No embeds

No notes for slide

Secure Times Spring 2010

  1. 1. The Secure Times VOLUME 5, NO. 1 SPRING 2010 NEWSLETTER OF THE SECTION OF ANTITRUST LAW’S PRIVACY AND INFORMATION SECURITY COMMITTEE EDITORS: IN THIS ISSUE Where Are We Headed? Sorting out the Legal and Alysa Zeltzer Hutnik Policy Questions around Location Apps ahutnik@kelleydrye.com By Saira Nayak . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2 Mary Ellen Callahan Will Laws That Build Upon PCI-DSS Lead to Greater mary.ellen.callahan@dhs.gov Security? By Chris Nutt and Frank Nagle . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9 David B. Esau desau@carltonfields.com The New Wave of Privacy and Data Security Considerations Affecting Cross Channel Marketing Carla A. R. Hine by Retailers chine@mwe.com By Benita Kahn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14The Secure Times is published by theAmerican Bar Association Section of Data Security and Privacy Audits: Steps to ProtectAntitrust Law’s Privacy and Informa- Reportstion Security Committee. The viewsexpressed in The Secure Times are the By Dana Rosenfeld and Kristin Hird . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20authors’ only and not necessarily thoseof the American Bar Association, theSection of Antitrust Law or the Privacyand Information Security Committee. When Does an Organization Have a P2P Problem?If you wish to comment on the contents By Kristin Cohen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23of The Secure Times, please write tothe American Bar Association, Sectionof Antitrust Law, 321 North Clark St., National Data Security Standards: PotentialChicago, IL 60610 Implications of Preemption COPYRIGHT NOTICE John Fedele . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28Copyright 2010 American Bar Association.The contents of this publication maynot be reproduced, in whole or in part,without written permission of the ABA.All requests for reprints should be sentto: Director, Copyrights and Contracts, A Word From the Chair:American Bar Association, 321 N. Clark,Chicago, IL 60654, FA X: 312-988-6030, We are pleased to present this latest edition of The Secure Times. This issue has aemail: copyright@abanet.org. particular focus on practical considerations associated with business and legal is- sues facing many privacy and data security practitioners – whether as a result of new technology, evolving privacy standards, data security threats, and new legal requirements. Articles include a legal and policy analysis of locational mobile ap- plications; a forensic view of PCI-based laws and whether they are likely to improve S E C T I O N O F security practices; evolving privacy considerations in cross-channel marketing; ANTITRUST LAW privilege considerations with data security and privacy audit reports; P2P risks and
  2. 2. The Secure Times VOLUME 5, NO. 1 | SPRING 2010remediation strategies; and potential effects of nationalizing their marketing efforts. This article delves into some ofdata security standards. We hope that you find this informa- the legal and policy considerations under laws in the Unit-tion informative and useful. ed States that privacy practitioners may want to consider when counseling companies on the privacy and securityPlease also check out the Privacy and Information Secu- impact of geo-location and location apps. The article alsority Committee’s website, and our online forum, www. discusses the important market developments and otherthesecuretimes.com, which tracks the latest developments factors that are driving adoption of this important and in-on privacy and security issues, courtesy of our terrific creasingly useful technology.contributors to our monthly privacy updates. Finally, asalways, if you would like to become more involved in our Location Apps: Old Wine in a New BottleCommittee – whether as a speaker, article or blog contrib- Geo-location technology has been in use since 1999 andutor, or in a behind-the-scenes role – please let us know. has a wide range of application. Online retailers andHappy reading. payment processors use it to authenticate users; the tech- nology is also used in electronic tolling systems on bridges,Alysa Z. Hutnik and in the monthly swipe cards you use on public transit systems.4 On your phone, location apps work to identifyWhere Are We Headed? current location using your computer’s IP address or yourSorting out the Legal and Policy smart phone’s GPS chip.Questions around Location Apps Location app development and adoption accelerated withSaira Nayak the introduction of smartphones.5 Industry insiders pointFrom Silicon Valley to Silicon Alley, the mobile web is to the iPhone and Google Maps (an early location app), asbooming with location applications (apps) featuring some of the first examples of geo-location at work. With“geo-location”1 – a type of technology that associates the over 45 million devices sold worldwide, the iPhone con-location of your computer or phone with a physical venue tinues to be a significant factor driving geo-locationsuch as a restaurant or a store.2 This technology allows (and smartphone) adoption worldwide.6 Development ofcompanies to gain valuable real-time information about location-based apps is also active on other smartphonethe marketplace and their customers, while also provid- platforms – such as Google’s Android and Microsoft’s Win-ing users with relevant, location-specific discounts and dows Mobile.services. Geo-location is having a truly transformative im- Location apps can be plugged in to existing social mediapact on the online marketing business – because it is able platforms – such as Facebook and Twitter – which allowto bring discounts and promotions directly to the point of third-party developers to integrate geo-location apps intopurchase.3 their service.7 This means that, with little technologi-As “geo-marketing” heats up, so does the need to counsel cal investment, a company can leverage the capabilitiescompanies that are considering use of location apps in of existing platform services – like Facebook – to further 2
  3. 3. The Secure Times VOLUME 5, NO. 1 | SPRING 2010its marketing strategy. That’s precisely what McDonalds are male or female, etc. Foursquare also allows devel-aimed to do when it “friended” Facebook in a well-pub- opment of compatible applications on its platform. Forlicized marketing deal recently. Working together, the instance, Yipit13 is a Foursquare plug-in that determinescompanies plan to create a location app that will direct the consumer’s best daily deal at shops, retailers andyou to the nearest McDonalds location. The app will also restaurants in his or her area. Because Yipit plugs intoallow users to personalize their location-based Facebook Foursquare, it also lets consumers know if there’s a goodstatus updates with pictures of a favorite McDonald’s in- deal going at one of the places the consumer has previ-dulgence.8 ously checked into using Foursquare’s app. • Pepsi is about to launch Pepsi Loot, which it describesMany other companies are starting to integrate geo-lo- as “the first geo-based iPhone application that has a loy-cation into their loyalty program and marketing efforts alty program associated with it.”14 This location app willthrough innovative location apps that run on a user’s connect users to the ecosystem of over 200,000 restau-smartphone.9 Examples include: rants or “Pop Spots” that serve Pepsi products. With• Macy’s and Best Buy, who are working with Shop- this many locations, Pepsi customers will have plenty kick, a Palo Alto-based start-up, on a mobile app that of opportunities to earn and redeem Loot points for dis- will enhance consumers’ brick-and-mortar shopping counts and other goodies (like exclusive music and video experience by providing “personalized offers, product downloads). Pepsi is also working to integrate its loyalty information and peer advice, as well as guidance on program into Foursquare’s mobile app; Pepsi Loot users which stores have the best offers.” 10 Shopkick was the would get a Foursquare notification when they are close creator of Causeworld, an extremely popular mobile app to a Pepsi Pop Spot. that allows shoppers to redeem “karma points” while These examples illustrate the rich diversity of companies shopping at participating retailers, and then convert (and business models) currently integrating geo-location those points to charitable donations. into their product or market strategy.• The Loopt mobile app11 allows consumers to check-in to various locations (retailers, restaurants), and instantly How Does Current US Law Apply to Location share consumer check-ins with their network. Loopt Apps? also works with retailers to provide coupon offers at the We’ve seen that geo-location is both an exciting techno- point of interest, eliminating the need to coupon clip. logical trend and an important marketing tool – one that• Foursquare12 combines the fun of a game with the util- provides crucial, time-sensitive data to companies about ity of geo-location by allowing consumers to earn badges their customers. Combining customers’ data profile with based on the number of places they’ve checked into. The their precise geographic location can be clearly beneficial company recently introduced a tool that allows partici- to a company’s promotional efforts. In the absence of a pating businesses to see data on their Foursquare-using comprehensive federal privacy framework addressing geo- customers: number of check-ins, how many check-ins location, how should legal advisors counsel companies seeking to capitalize on this exciting technology? What 3
  4. 4. The Secure Times VOLUME 5, NO. 1 | SPRING 2010type of obligations does this type of data collection trigger loyalty-based program for its users using geo-location ser-under current federal and state laws? vices like Loopt or Foursquare? In such cases, it’s a good idea to review the terms of service and privacy policies ofHere are some important points to remember when coun- other parties implicated by the agreement.seling clients on the data security and privacy implicationsof using location apps in a product or marketing strategy: For example, if your client is developing a mobile app with geo-location features for the iPhone, then you will wantKnow Your App to review Apple’s iPhone developer agreement to makeFactual due diligence is very important when counseling sure that the technology meets Apple’s requirements forcompanies around the use of geo-location and location iPhone apps. For instance, a recent version of the iPhoneapps. It is important to be mindful of policies around the Developer Agreement requires that all iPhone apps thatcollection and storage of geo-location data, and whether use “location-based APIs” be compliant with “all appli-that data can be linked to individual users.15 When com- cable privacy and data collection laws and regulations….”17bined with personal information, geo-location data can be Once the location is deployed, it’s a good idea to monitorextremely sensitive. The ability to create a “super data pro- partner policies for important changes. For example,file” – that merges a user’s personal information with their Apple recently announced changes to its developer policylocation – has raised privacy concerns with both consumer that prohibits use of the iPhone’s geo-location features foradvocates and regulators.16 apps that are designed primarily to deliver targeted ads.18Ideally, the legal advisor would already be familiar with the Once the factual due diligence is complete, and before thecompany’s business model and technology. A preliminary location app or service is launched, the company shouldstep would be to review the company’s existing informa- amend its information security practices, as well as its pri-tion security practices to determine what type of personal vacy and other notices, to reflect the collection and use ofinformation is already being collected and the data flows geo-location data.for that information. Next, the legal advisor would needto determine how the location app would collect data, how Do FTC Principles on Behavioral Advertisingthat data would be stored, and what data flows are involved. Apply? Two years ago – in a particularly prescient move - the FTCThe data flow question is critical. To get the full answer, held a town hall meeting on mobile marketing, where itthe legal advisor will need to ask questions about whom the specifically discussed the privacy impact of location-basedcompany is partnering with for development, deployment, services.19 The FTC’s findings from that workshop are in-and marketing of the location app. Will the company share cluded in a report discussing the FTC’s Self-Regulatorygeo-location data with an online advertiser or marketer? Principles for Behavioral Advertising.20 The four Princi-Will the company host the location app on its own mobile ples21 are not binding regulations or statutes, but they door Internet website, or on a social-media platform like provide guidance for self-regulatory efforts. They are:Facebook? Does the company want to develop a virtual 4
  5. 5. The Secure Times VOLUME 5, NO. 1 | SPRING 2010Principle 1 - Transparency and Control; is inconsistent with its privacy policy, may be liable un-Principle 2 - Reasonable Security and Limited Data Re- der state and federal26 deceptive trade practices laws. To tention of Consumer Data; avoid this type of risk, companies should make sure that their data collection and use matches what is laid out in thePrinciple 3 - Affirmative Express Consent for Material company’s privacy policies and notices. Retroactive Changes to Privacy Promises; and A company can also be found to have engaged in an “un-Principle 4- Affirmative Express Consent to (or Prohibi- fair” practice under federal27 and state28 laws for failing to tion Against) Sensitive Data. protect personally identifiable data.The Principles specifically apply to companies engaged in With the proliferation of location apps on smartphones,“behavioral advertising” – which is defined as “the track- companies may need to start thinking about different,ing of consumers’ online activities over time … in order to more creative forms of notice29 to comply with federaldeliver advertising targeted to the individual consumer’s or state laws – or risk losing users who eventually tire ofinterests.”22 The Principles omit first-party advertising, being notified every single time the app is opened. Takei.e., ads generated in response to a single website visit or the example of a mobile store locator app – a notificationsearch query, from the definition. each time you open the app to locate a store would be re-Based on the testimony at the 2008 Town Hall and other dundant, especially since you are electing to have the appcomments, FTC staff has recommended that “precise geo- guide you to the store’s location in the first place. A less in-graphic location” be classified as a sensitive category of trusive method, which would be just as effective, could beinformation – one that deserves “heightened protection.”23 an initial notification – supplemented by key reminders forAs we saw earlier, FTC staff also recommend that an “af- important events like software updates.firmative express consent” or user opt-in be obtained forcollection of sensitive data. Since the Principles are in- Federal and State Data Security Obligationstended to provide self-regulatory guidance, companies In instances where geo-location data is being combinedshould strongly consider using opt-in notice for location with personal data to provide a service, legal advisorsapps – especially if they also plan to use the collected data should be mindful of obligations that certain types offor target advertising efforts. companies have under other federal and state laws for collection and protection of personal information. TheseBe Aware of Liability under Deceptive or include:Unfair Trade Practices Laws Children’s Online Privacy Protection Rule – Under au-Under Section 5 of the FTC Act,24 and similar state stat- thority from Congress, the FTC has issued rules governingutes,25 companies can be prosecuted for privacy violations the online collection of personal information from chil-stemming from a “deceptive” notice. Put differently, a dren, which applies to websites and online services thatcompany that captures data for one purpose, and then are directed to children under the age of 13.30 The FTC isproceeds to use that same data for another purpose that 5
  6. 6. The Secure Times VOLUME 5, NO. 1 | SPRING 2010currently reviewing COPPA and considering, among other State Security Breach Notification Laws – a majoritythings, whether to expand the definition of “personal in- of states have laws that require consumers to be notified information” under the rule to include “mobile geo-location the event that their “personal information” is “breached.”37data.”31 State Safeguard Laws – eight states, including Califor-HIPAA32 and FTC Health Breach Rule – If the com- nia, Maryland and Texas – have enacted general safeguardpany developing a location app is a “covered entity” under laws to protect personal information.38HIPAA, then activities involving personal health informa- State Business Record Disposal laws – at least 19 statestion may come under the ambit of HIPAA and the FTC’s now have laws that regulate the disposal of business re-Health Breach Notification Rule.    Under the recent HI- cords containing personal information.39TECH amendments, HIPAA obligations now apply to“business associates” of covered entities, such as third Massachusetts Data Security Regulations – obligesparty service providers.33   companies to encrypt the personal information of Mas- sachusetts’ residents.40 These encryption requirementsFACTA and The FTC Red Flag Rules – Under author- apply broadly and include personal information stored onity from the Fair and Accurate Credit Transaction or laptops as well as other portable devices.”41“FACTA,” the FTC has promulgated the Red Flags Rules,which it will enforce starting December 31, 2010. These Applicable Law from other JurisdictionsRules require that “creditors” and “financial institutions” While this article focuses on the application of U.S. law, le-develop written information security programs that iden- gal advisors should consult laws and guidance from othertify potential “red flags” for identity theft.34 Companies relevant jurisdictions. European law, in particular, maythat come within the ambit of this rule may consider red- differ from U.S. requirements. For instance, Europe’s e-flagging geo-location data – particularly if it is used in privacy Directive states that an individual’s location datacombination with personal information to deliver target- may not be stored once the service is provided – unlessed ads or services. that data is needed for billing and interconnection pur-Section 222 of the Federal Communications Act – re- poses.42 These laws continue to evolve rapidly; Mexico justquires that telecommunications providers take specific announced its first-ever Federal Law for the Protection ofsteps to secure customer proprietary network information Personal Data, which proscribes regulations for both pub-(CPNI).35 lic and private entities.43Electronic Communications Privacy Act - sets out Looking Ahead: Regulation and the Futurerequirements under which the government can access of Location Appsprivate Internet communications. This includes elevated The future of geo-location technology and location-basedprocess such as a warrant for certain categories of person- apps is closely aligned with the ongoing debate aroundal information that are considered “content.”36 what constitutes effective regulation of privacy and data 6
  7. 7. The Secure Times VOLUME 5, NO. 1 | SPRING 2010security online. This is a debate that continues to evolve being allowed to remotely power-off a lost phone to pro-in all branches of government – administrative, judicial, tect valuable data. Clearly these are valuable uses of theand legislative. The FTC has signaled its intent to articu- technology that should not be restricted due to locationallate a national framework to protect consumers’ privacy privacy concerns.online, while also supporting self-regulatory approaches. It is likely that our perspective on location apps willCongress is currently considering federal privacy legis- change with increased adoption of geo-location tech-lation that will impose additional notice obligations on nologies. Already, geo-location is becoming an almostcompanies with regards to the collection and use of per- ubiquitous feature of the mobile web – a feature that en-sonal data.44 Privacy legislation has been introduced in hances other applications and services. Will widespreadCongress that classifies “precise geolocation information” adoption of this technology eventually alleviate privacyas sensitive data, and would require that the user spe- concerns about its use? Much of that answer will lie incifically opt-in to use of this type of data for advertising how favorable the user experience is with the technology,purposes. Finally, in a decision that will likely impact pri- and whether people are able to trust that their personalvacy analysis for all types of electronic communications, information will not be compromised by use of a locationthe Supreme Court is currently considering the important app or service. One thing is certain – it is likely that thequestion of whether there is a reasonable expectation of rules governing the collection and use of geo-locationprivacy in text messages sent by government employees data will change in the near future. Legal advisors andunder the Fourth Amendment.45 practitioners should continue to monitor all activity –In addition to government attention on the issue, con- government-initiated, as well as those in the court ofsumer advocates have been publicly vocal about their public opinion.policy concerns with geo-location. These concerns most- Saira Nayak is a Principal at Nayak Strategies, wherely focus on the ability of governments and other entities to she counsels companies on privacy and data compliance,create comprehensive data profiles that may compromise as well as regulatory outreach.   She can be reached ata user’s locational and other privacy.46 The Electronic saira@nayakstrategies.com.  The information containedFrontier Foundation, in its whitepaper on locational pri- in this article is not intended as, nor should it serve as avacy, highlights two additional concerns: retention of substitute for, legal advice, which turns on specific facts.geo-location data may subject a company to legal requestsfor data, and storing geo-location data over extended pe-riods of time will increase the likelihood of identity theft. Endnotes 1 Apparently, “geo-location” is the tech buzzword of the year.Proponents argue that the geo-location has some very Daniel Ionescu: Geolocation 101: How it Works, the Apps,beneficial uses – some of which have yet to be discovered and Your Privacy, http://www.pcworld.com/article/192803/ geolocation_101_how_it_works_the_Apps_and_your_privacy.– and that over time, these benefits will outweigh the html (last visited May 14, 2010)privacy concerns about the technology. Consider, for in- 2 Wikipedia.com, Geo-location, http://en.wikipedia.org/wiki/stance, the utility of being able to locate a lost phone, or Geo-location (last visited May 14, 2010) 7
  8. 8. The Secure Times VOLUME 5, NO. 1 | SPRING 20103 Stephanie Clifford, Linking Customer Loyalty with Social 16 Marshall Kirkpatrick, Location Data Sensitive Like Medical Networking, New York Times, April 28, 2010, http:// Information, Says Congressional Witness, http://www. www.nytimes.com/2010/04/29/business/media/29adco. readwriteweb.com/archives/location_data_sensitive_like_ html?emc=tnt&tntemail0=y medical_information_s.php (last visited May 14, 2010).4 Wikipedia.com, Geo-location Software, http://en.wikipedia. 17 iPhone Developer Program License Agreement, § 3.3.7., http:// org/wiki/Geolocation_software (last visited May 14, 2010) www.eff.org/files/20100302_iphone_dev_agr.pdf (last visited May 14, 2010).5 Wikipedia.com, Location-Based Service, http://en.wikipedia. org/wiki/Location-based_service (last visited May 14, 2010) 18 Bruce Chen: iPhone Devs Not Allowed to Use Geo-location Just for Ads, http://www.wired.com/gadgetlab/2010/02/iphone-6 Sarah Perez: iPhone OS International Growth on the Rise, Still apps-not-allowed-to-use-geolocation-just-for-ads/ (last Dominates Mobile Web Traffic, http://www.readwriteweb.com/ visited May 14, 2010). archives/iphone_os_international_growth_on_the_rise.php (last visited May 14, 2010) 19 See generally Transcript of Town Hall Record, Beyond Voice: Mapping the Mobile Marketplace (May 6, 2008)7 This is how you can post your Foursquare check-ins on Facebook (Session 4, “Location-Based Services”), available at http:// or add your current location to your tweets. htc01.media.globix.net/COMP008760MOD1/ftc_web/ transcripts/050608_sess4.pdf8 Emily Bryson York: McDonalds to Use Facebook’s Upcoming Location Feature, http://adage.com/digital/article?article_ 20 FTC BA Principles Report, http://www.ftc.gov/os/2009/02/ id=143742 (last visited May 14, 2010) P085400behavadreport.pdf9 Simon Salt: What’s Next For Geolocation? Apps, Apps, Apps, 21 Id. at 30 – 42. http://www.readwriteweb.com/archives/whats_next_for_ geolocation_apps_apps_apps.php (last visited May 14, 2010) 22 Id. at 46.10 Shopkick Signs Major Partnership Deals with Best Buy and 23 Id. at 42. Macy’s in Lead-Up to App Launch in the Summer, http://www. prweb.com/releases/mobile/retail/prweb3923484.htm (last 24 15 U.S.C. § 45 (a)(1). visited May 14, 2010). 25 See, e.g., Massachusetts Consumer Protection Act, Mass. Gen.11 Loopt, http://www.loopt.com/loopt (last visited May 14, 2010). Laws. Ch. 93A §2(a) (2009)12 Foursquare, http://foursquare.com/ (last visited May 14, 26 See, e.g., In the Matter of Microsoft Corp., FTC Docket No. 2010). C-4069 (Dec. 20, 2002) (alleging that company violated privacy promises for its Passport product).13 Yipit, http://yipit.com/perch/san-francisco/ (last visited May 14, 2010). 27 15 U.S.C. § 45 (a)(1). See, e.g., Life is good, Inc., FTC Docket No. C-4218 (Apr. 16, 2008) (alleging that the company violated14 Dan Butcher: Pepsi rolls out multifaceted LBS mobile loyalty promises about the security provided for customer data); initiatives, http://www.mobilemarketer.com/cms/news/ Petco Animal Supplies, Inc., FTC Docket No.C-4133 (Mar. 4, database-crm/6138.html (last visited May 14, 2010). 2005) (same).15 FTC staff has recommended that “precise geographic location” 28 See, e.g., Cal. Bus. & Prof. Code, §17200 (West 2009). be given “heightened protection.” FTC Staff Report, Self- Regulatory Principles for Online Behavioral Advertising 29 It is notable that the following language was added to the final (2009) (FTC BA Principles Report) at 42, http://www.ftc.gov/ version of the FTC Behavioral Advertising Report: “Where the os/2009/02/P085400behavadreport.pdf. data collection occurs outside the traditional website context, companies should develop alternative methods of disclosure and consumer choice that meet the standards described above (i.e., clear, prominent, easy-to-use, etc.).” FTC BA Principles Report, at 48. 8
  9. 9. The Secure Times VOLUME 5, NO. 1 | SPRING 201030 16 C.F.R. § 312. 44 Rep. Boucher and Rep. Stearns introduced a discussion draft of the yet un-named legislation on May 4, 2010. http://www.31 See FTC Seeks Comment on Children’s Online Privacy boucher.house.gov/images/stories/Privacy_Draft_5-10.pdf Protections; Questions Whether Changes to Technology Warrant Changes to Agency Rule, http://www.ftc.gov/ 45 See generally City of Ontario v. Quon, 529 F.3d 892, cert. opa/2010/03/coppa.shtm granted, (U.S. Dec. 14, 2009) (No. 08-1332).32 42 CFR Part 2. § 164.501. 46 The Electronic Frontier Foundation has published a white paper on locational privacy which is defines as “the ability of33 See Complying with FTC’s Health Breach notification rule, an individual to move in public space with the expectation http://www.ftc.gov/bcp/edu/pubs/business/idtheft/bus56. that under normal circumstances their location will not be shtm systematically and secretly recorded for later use.” Andrew J. Blumberg & Peter Eckersley: On Locational Privacy, And How34 Identity Theft Red Flags and Address Discrepancies Under to Avoid Losing it Forever, http://www.eff.org/wp/locational- the Fair and Accurate Credit Transactions Act of 2003, 16 privacy (last visited May 14, 2010). C.F.R. § 681 (2007).35 CPNI data includes phone numbers called, frequency, duration and timing of such calls and related services purchased by the Will Laws That Build Upon PCI-DSS consumer. 47 U.S.C. §151 (1996). Lead to Greater Security?36 The Electronic Communications Privacy Act of 1986, 18 U.S.C. § 2510. By Chris Nutt and Frank Nagle37 See, e.g., Fla. Stat. Ann. §817.5681 (1)(a) (2009). According Minnesota, Nevada, and Washington have enacted laws to a recent post on the Proskauer privacy blog, 46 states – with the exception of Alabama, Kentucky, New Mexico, and that provide financial institutions, e.g., banks, with the South Dakota – now have data breach laws. http://privacylaw. ability to recover the costs of reissuing payment cards proskauer.com/2010/04/articles/data-breaches/its-not-too- late-to-come-to-the-party-mississippi-joins-45-other-states- after cardholder data has been stolen. With re-issuance by-enacting-a-security-breach-notification-law/ costs estimated to be between “$20.00 and $50.00”1 for a38 California enacted the nation’s first general information single card, this could have a tremendous impact on many safeguard law. Cal. Civ. Code §1798.81.5(b) (2009). organizations.39 See, e.g., Cal. Civ. Code §1798.81 (2009). Each state has its own requirements for protecting card-40 Standard for the Protection of Personal Information of holder data, but most state laws rely, to some extent, on Residents of the Commonwealth, 201 CMR 17.00 (2009), http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg. the Payment Card Industry Data Security Standard (PCI- pdf DSS). It is clear, for example, that the PCI-DSS standards41 201 CMR 17.04(5) . have impacted the state laws in Minnesota,2 Nevada,3 and Washington.4 In this article, we review the technical re-42 Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of quirements of PCI-DSS to examine whether they will personal data and the protection of privacy in the electronic positively impact security and reduce payment card fraud. communications sector (Directive on privacy a nd electronic communications), Article 9, para 1, OJ L 201, 31.L7.2002. Our analysis of PCI-DSS is split into two sections:43 The law also provides for up to $1.5 million in penalties for weaknesses and strengths. Contrasting the technical violations. http://www.senado.gob.mx/gace61.php?ver=gace ta&sm=1001&id=2879&lg=61 (last visited May 14, 2010). requirements with real world implementation of best 9
  10. 10. The Secure Times VOLUME 5, NO. 1 | SPRING 2010practices in various industries, including those not sub- network introduces risk that the data will be intercepted.ject to PCI-DSS, we attempt to identify whether PCI-DSS’s This is especially true because PCI-DSS does not requiretechnical requirements will “enhance cardholder data se- networks that store, process, or transmit cardholder datacurity.” to be isolated from general purpose computing systems.5 This exposes cardholder data to risk from a breakdown inWeaknesses physical security (for example, an attacker connecting anThere are several weaknesses in the PCI-DSS technical external device to the network), as well as from generalrequirements, three of which are discussed in the fol- purpose computing systems that have been compromised.lowing sections. We chose to discuss these three specific Because general computing systems are used to access theweaknesses in PCI-DSS because the recommendations Internet and email, they are much more likely to be com-are widely accepted security practices and their imple- promised. When these systems are not segmented frommentation would substantially increase the protection of networks where cardholder data is stored, processed, orcardholder data. transmitted, they could be used to target cardholder data transmitted over a shared medium.1. Encryption of Network TrafficPCI-DSS requirements do not adequately protect cardhold- To reduce the risk of cardholder data being stolen duringer data when it is transmitted across computer networks. transmission, PCI-DSS should require that cardholderEven though PCI-DSS requirement 4.1 requires the “use of data be encrypted anytime and anywhere it is transmitted.strong cryptography and security protocols such as SSL/ 2. Application PrivilegesTLS or IPSEC to safeguard sensitive cardholder data dur- PCI-DSS also does not require the concept of “least priv-ing transmission,” the standard falters in that it limits ilege” to be applied to application accounts. PCI-DSSwhere these cryptosystems are required. The standard requires least privilege to be applied to user accounts, butspecifically states that cryptography need only be used says nothing of the level of privilege assigned to applica-over open, public networks, such as the Internet, wireless tion accounts. PCI-DSS requirement 7.1 addresses leasttechnologies, Global System for Mobile communications privilege only from the perspective of “need to know,”(GSM), and General Packet Radio Service (GPRS). While meaning only users filling job roles that require access toit is important to encrypt sensitive information over open cardholder data should have access to cardholder data.networks, it is equally important to secure sensitive datatransmitted over any network, including an organization’s Least privilege, however, is equally important for accountsLocal Area Network (LAN) – the network that connects used to run applications, especially when these applica-computer systems in a small physical area. tions have access to sensitive data. In order to function, applications must have access to system resources. As withSensitive data must be encrypted whenever and wherever user accounts, application accounts are often assignedit is transmitted because the security of the media and privileges in excess of those required for the application tonodes cannot be guaranteed, even on a LAN. Having card- function properly. Taken alone, this is not a tremendousholder data transmitted unencrypted on any computer 10
  11. 11. The Secure Times VOLUME 5, NO. 1 | SPRING 2010risk because an attacker must first be capable of having by default until the release of Microsoft Windows Vista.the target application perform unintended tasks on the at- Since every Microsoft operating system prior to Windowstacker’s behalf. Unfortunately, injection vulnerabilities, 6 Vista stores passwords that are less than 15 characters aswhich result in an attacker executing code, other appli- an LM hash, this vulnerability is a substantial risk to manycations, or commands in the context of the application’s organizations. While an attacker must be able to place andaccount, are very common and difficult to identify. Once execute tools on a target system to access the LM hash, thisa vulnerability is identified, excess privileges assigned to has proven to be a simple task in many environments.an application account could permit an attacker to access PCI-DSS should require applications to use secure encryp-additional systems or data, posing a substantial risk to tion and authentication protocols outside of the contextcardholder data. of wireless networks. This also is in line with a layeredPCI-DSS should require applications to be run with the defense strategy, and would greatly mitigate the risk tominimum privileges necessary to operate properly. This is cardholder data.in line with a layered defense strategy, and would mitigatethe risk to cardholder data. Strengths PCI-DSS requirements do not address all security con-3. Legacy Encryption and Authentication cerns or all security best practices, but the requirementsProtocols do a good job of identifying first steps to protecting sen-The PCI-DSS standards also do not prevent the use of in- sitive data. Our experience has shown that security bestsecure authentication protocols. Legacy encryption and practices are rarely implemented when not required byauthentication protocols are mentioned only in the context an authoritative body such as the PCI Security Standardsof wireless networks. There are, however, legacy encryp- Council. Organizations often wait until they have beention and authentication protocols that are frequently compromised and specific security best practices are rec-leveraged by attackers to obtain unauthorized access to ommended to them by an incident response firm. Becausesystems and data. One of the most common is the legacy PCI-DSS requires adherence to a subset of security bestLAN Manager hash (LM hash). practices that reduces risk and mitigate attacks, we believePassword hashes are a way of storing and authenticating that PCI-DSS improves security, and that laws that utilizea user without storing the user’s password in clear text. PCI-DSS requirements as their basis will similarly helpIn the Microsoft Windows7 95 and Windows 98 operating improve security.systems, the LM hash was used to store user passwords. In the sections below, we identify five specific PCI-DSS sub-The LM hash is a legacy method for storing passwords, requirements that are important to the overall defense ofand has substantial weaknesses8 that would allow an at- an organization and an effective incident response. Thesetacker to obtain a password from a password hash within requirements highlight the strengths of PCI-DSS.seconds. For backward compatibility, LM hash supportwas built into all Microsoft operating systems and enabled 11
  12. 12. The Secure Times VOLUME 5, NO. 1 | SPRING 20101. Log Analysis and Retention 2. File-Integrity MonitoringTwo of the five sub-requirements we chose to highlight Another sub-requirement that can significantly help withoriginate from Requirement 10: “Track and monitor all ac- early detection of incidents is sub-requirement 11.5: “De-cess to network resources and cardholder data.” Tracking ploy file-integrity monitoring software to alert personnelaccess to systems and resources, especially those con- to unauthorized modification of critical system files, con-taining cardholder data, is essential to properly respond figuration files, or content files; and configure the softwareto a security incident. The ability to utilize this data for a to perform critical file comparisons at least weekly.” File-timely response after an intrusion relies upon both a regu- integrity monitoring software regularly checks importantlar review of logs and the availability of a long log history. system files that are often altered by an attacker during anThese two issues are addressed by requirements 10.6: “Re- intrusion. By checking the integrity of these files at leastview logs for all system components at least daily…” and weekly, organizations will be alerted to potential intru-10.7: “Retain audit trail history for at least one year, with a sions in a timely manner. Although file-integrity productsminimum of three months immediately available for anal- are freely available,10 most companies do not utilize thisysis.” Requirement 10.6 is crucial for early identification fundamental defense mechanism due to a lack of familiar-of intrusions, but logs are rarely reviewed on a daily basis ity with the workings of these types of products. We havein the real world. While free log aggregation and analysis performed many investigations where proper file-integ-tools are available, merchants often do not utilize these 9 rity checking would have alerted the organization to theproducts, and in many cases logs are never reviewed. breach much sooner than it was actually detected.In many investigations, we find that log analysis could 3. Vulnerability Scans After Significant Networkhave detected the incident, potentially reducing the win- Changesdow of exposure during which the attacker has access to Many of the PCI-DSS requirements deal with taking pro-the system. Logging as required by PCI-DSS results in a active actions to prevent intrusions from happening. Onelarge amount of log files. If these files are not analyzed in key sub-requirement that falls into this category is sub-an automated and timely manner, security incidents will requirement 11.2: “Run internal and external networkgo undetected. Requirement 10.7 is critical for enabling vulnerability scans at least quarterly and after any signifi-investigators to properly understand the full scope of an cant change in the network.” PCI-DSS defines “significantintrusion. Because incidents are often not detected in a changes” as including, but not limited to, the following:timely manner, it is important for organizations to retaina long history of logs. We have performed a number of in-  New system component installations;vestigations where important log information had not  Changes in network topology;been saved, which drastically impeded the investigation.  Firewall rule modifications;As PCI-DSS is adopted by state legislatures, sub-require-  Product upgrades.ments 10.6 and 10.7 will force companies to better position All of these events have the ability to significantly alterthemselves to detect and respond to intrusions. the security landscape of the network. The security of 12
  13. 13. The Secure Times VOLUME 5, NO. 1 | SPRING 2010the network should be re-assessed after any such changes. five sub-recommendations to be crucial aspects of a secureGetting a quarterly vulnerability scan by an approved ven- environment that are often overlooked due to a lack ofdor is one of the basic requirements of PCI-DSS, and most education about the importance of these defensive mecha-merchants who are familiar with the requirements under- nisms and a lack of skill and time to implement them. Asstand and obtain such a scan. As states permit PCI-DSS PCI-DSS becomes more incorporated in state (and poten-compliance to form the basis of legal action, companies tially federal) law, these sub-recommendations will helpwill be forced to better prevent intrusions by complying organizations properly position themselves to react quick-with sub-requirement 11.2. ly and effectively to an intrusion when it occurs.4. Incident Response Plan ConclusionFinally, we highlight the last sub-recommendation in As more states build upon PCI-DSS to create laws, mer-PCI-DSS, 12.9: “Implement an incident response plan. Be chants will no longer face just fines from the PCI Councilprepared to respond immediately to a system breach.” We when they are not PCI-DSS compliant, they will also facehave seen organizations both large and small that are not a variety of legal actions. Exactly how these legal actionsproperly prepared to handle an intrusion, and often do will affect small and large businesses remains uncertain.not have any predetermined course of action when such It is certain, however, that if these laws force merchantsan incident occurs. Having a plan to deal with intrusions to fully comply with PCI-DSS, then these merchants willis already a requirement for government organizations have a much higher security baseline making it harder,under the Federal Information Security Management although not impossible, for attackers to compromise pay-Act (FISMA). A completed plan gives organizations the ment cards. As with many laws, PCI-DSS-related laws willability to rapidly handle intrusions when they occur, and only be as strong as their enforcement. PCI-DSS in its cur-often greatly reduces the impact of intrusions. While re- rent form relies on smaller merchants to self-certify thatsources are freely available11 that offer templates for such they are compliant, and many merchants do not even goplans, many organizations are not aware that this essen- that far, often never filing the appropriate paperwork totial policy is required or even necessary. This can result in show compliance. If PCI-DSS-related laws are not active-a chaotic response when an incident does occur. Not only ly enforced, then it is likely that this non-compliance willdoes PCI-DSS require the creation of an incident response continue into the future. With effective enforcement, PCI-plan, it also requires that this plan be tested annually, and DSS has the potential to significantly impact the securitybe modified to include lessons learned from actual intru- of merchants’ networks positively.sions. Testing and keeping the incident response plan as aliving document are important steps in ensuring the orga- Chris Nutt is a Managing Consultant at MANDIANTnization is in a constant state of readiness for dealing with where he is responsible for incident response investigationsintrusions. and training in incident response. Over the past six years Mr. Nutt has worked with the Fortune 500, the federalWhile all of the recommendations within PCI-DSS help government, and federal law enforcement to investigatean organization secure its information, we consider these 13
  14. 14. The Secure Times VOLUME 5, NO. 1 | SPRING 2010and remediate complex computer intrusions. Frank The New Wave of Privacy and DataNagle is a Senior Security Consultant at MANDIANT Security Considerations Affectingwhere he performs vulnerability assessments, incident Cross Channel Marketing byresponse for PCI and non-PCI related intrusions, and Retailersincident response training. Benita KahnEndnotes The Shift in Cross Channel Strategies1 http://www.infolawgroup.com/2007/06/articles/privacy-law/ Ten years ago it was not unusual for retailers to reach their minnesotas-plastic-card-security-act/ customers through multiple channels that included brick2 Minnesota Plastic Card Security Act (H.F. 1758). and mortar, phone, direct mail and an e-commerce site,3 Nevada Security of Personal Information Law (NRS-603A). with most of the emphasis in the first three categories.4 Protecting Consumers from Breaches of Security (HB 1149). Over the past ten years, however, the number of Internet users has increased five-fold from 360 billion users to over5 General purpose computing systems are those not used for purposes other than storing, processing, or transmitting 1.8 trillion users.1 In a recent survey, it was determined cardholder data. that 74 percent of American adults use the Internet and,6 Injection occurs when user-supplied data is sent to an interestingly, 55 percent of American adults connect to interpreter as part of a command or query. Attackers trick the the Internet wirelessly with WiFi connections on laptops interpreter into executing unintended commands via supplying specially crafted data. or handheld devices like smartphones.2 The growth in the use of mobile phones is particularly notable, with 91 per-7 Windows is a registered trademark of Microsoft Corporation in the United States and other countries. cent of Americans as mobile subscribers and 257 million8 Summers, W., Bosworth, E., “Password Policy: The Good, The “data-capable” devices active on U.S. carriers’ networks.3 Bad, and The Ugly,” Proceedings of the WISICT, Vol. 58 (2004). All of this connectivity and mobility is changing the focus9 Splunk 4.1, http://www.splunk.com; OSSEC 2.4, http://www. of the multi-channel retailer and explains why retailers ossec.net/ are interested in new ways to make use of these mobile10 Tripwire 2.4.2, http://sourceforge.net/projects/tripwire/; channels. Osiris 4.2.3, http://osiris.shmoo.com/ Not only are we seeing changes in the types of multi-11 U.S. Dept. of Commerce, NIST Special Publication 800-61: Computer Security Incident Handling Guide,” National Institute channel communication, but we are also seeing more cross of Standards and Technology (Mar. 2008); American Institute channel integration. Customers are researching, shop- of Certified Public Accountants, “AICPA Incident Response Plan Template For Breach of Personal Information”(2004). ping, and returning in any combination of channels and in ways that were not predicted a few short years ago. It is now commonplace for retailers to serve coupons to cus- tomers through text messaging and honor the coupon by merely having the customer show the code to the sales associate. With 50 million smartphones in service in the 14
  15. 15. The Secure Times VOLUME 5, NO. 1 | SPRING 2010United States, retailers can take their marketing beyond goals, however, should benefit the consumer by drivingsending a coupon by text message with applications that down prices with the improved efficiencies in market-can be downloaded to the smartphone. Apple recently dis- ing. The goals should also result in providing consumersclosed that it has over 100,000 applications in its App Store with relevant solutions to their needs. Email providesand over 3 billion apps have been downloaded. Many of 4 a good example of the economic incentive cycle. Emailthese apps make use of geolocation information that is grew so quickly because it was more efficient than postalincluded in the mobile unit, which allows very specific re- marketing. But with the growth of email, consumers weregional marketing. The speed with which the first 500,000 overwhelmed and much of the email was landing in bulkI-Pads were sold suggests more engagement with technolo- mail folders. The lesson learned was that sending what thegy by consumers while on the move. The ability to connect customer wants means sending less email with a higher re-with these engaged individuals by offering WiFi in stores sponse rate. The benefit to consumers – a more targetedor through geolocation information while the customer is email.in the store creates instant cross channel experiences. Meeting the goals of a cross channel strategy requires data.During this time, retailers have also begun to place more Retailers need data to respond more quickly to changes invalue on the role privacy plays in gaining the trust of their demand patterns, to reduce out of stocks, to match productcustomers. A recent survey of retailers shows the emer- offerings to the right customer, and to improve customergence for the first time of the significance of privacy and service. The technology that has allowed the gatheringsecurity to cross channel marketing, which is noted as a of this information has been accomplished through suchtop business opportunity. Forty-seven percent of those things as point of sale (POS) scanning, electronic paymentretailers surveyed indicated that proactively addressing options, loyalty programs using swiped cards, and elec-privacy and data security will enable them to move for- tronic order management. To accomplish better offerings,ward with an aggressive cross-channel strategy.5 This however, requires aggregation and integration of data,shift also shows the importance of a cross channel strat- which increases risk and complexity. The numerous dataegy, which is requisite to keeping a competitive position. breaches over the last several years has demonstrated theSo there is little doubt that the retailer/customer interac- risk and economic cost associated with collecting greatertion will incorporate many channels and new methods of amounts of electronic data.communication. How privacy will be addressed in this The complexity results from both state and federal laws.quickly-changing communication process is a topic that is If information is obtained from the issuer of a retailer’sgarnering much attention. private label credit card, Gramm-Leach-Bliley concernsThe Role of Privacy in the Economic are raised. For example, how is the source of the dataIncentive designated in a database? Given that the data can only be used in the manner the financial institution could use theGoals for the cross channel strategy are to drive traffic, data, there must be some means to designate that in thegenerate incremental sales, and grow sales volume. These database as well. At the state level, Massachusetts has im- 15
  16. 16. The Secure Times VOLUME 5, NO. 1 | SPRING 2010posed very detailed data security requirements that must information risk management in more progressive com-be addressed when storing and transmitting data. These6 panies.rules, which went into effect on March 1, 2010, require This is all while keeping in mind that privacy is not justimplementation of a comprehensive information security excluding or not collecting data, but rather is about un-program covering access controls, encryption, up to date derstanding the desires and boundaries of the retailsoftware and patching, firewalls, monitoring of systems, customer. It means developing trust and having a conver-and training. Washington, Minnesota, and Nevada have sation with the customer through the channel selected byimplemented data security requirements linked to an in- the customer and providing the information the customerdustry imposed standard – the Payment Card Industry wants to hear. Reaching the goals of data security, vendorData Security Standards – resulting in a need to continu- management, oversight, and trust needed for a cross chan-ally update compliance measures. nel strategy, will require an enterprise-wide focus. ForRetailers must also ensure that uses of data match the success, policies must be driven from the top, define ac-promises that were made when the data was collected. As countability, and then communicated, implemented, andpart of this, a lesson that can be derived from some of the trained through thoughtful processes. The enterprise-FTC consent decrees is management of third party ven- wide policies should allow for privacy by design – bringingdors and the need to conduct due diligence, monitor, and in all the necessary players at the front end of a marketingcontractually control those vendors.7 These third party project, such as marketing, privacy, information technol-vendors run the gamut from providers of applications for ogy, information security, finance, risk management, andthe smartphones to database management to providers of legal.text message marketing campaigns. There must be a pri- The economic incentive does not rest solely in the handsvacy professional involved in each aspect of planning at the of the retailer. Consumers have begun to understand theoutset who, first, must fully understand how the technol- risk/reward value proposition when sharing their dataogy will work. Without this knowledge, it is not possible and privacy plays a role in this equation. As a result, re-to accurately disclose data uses at the time of collection. tailers also need to understand the role of privacy in theThere must also be oversight of what will be collected, risk/reward equation and examples help demonstratewho will retain and/or own the data (including evalua- this. For consumers, the value of TJX is its discountedtion of whether the retailer is merely building its vendor’s retail product. As a result, even after a significant datadatabase), how the data will be stored and secured, due breach, consumers went back to TJX. But compare thisdiligence with vendors, and, finally, the end of the life cycle to a mint.com that allows consumers to aggregate finan-of the data – its destruction. It is too difficult to reverse cial account information across multiple institutions. Aengineer the process later to implement these privacy pro- core value of mint.com is trust, which also means controltections. As a result of the complexity and the need for by the consumer. If mint.com were to have a data breach,greater oversight, “privacy” as an isolated consideration it would lose this trust and likely many of its consumers.has transitioned to a broader information governance or Knowing where the retailer stands on the value/risk/trust 16
  17. 17. The Secure Times VOLUME 5, NO. 1 | SPRING 2010continuum will also be essential in planning information collected. The settlement approved by the FTC for assert-governance and marketing strategies. ed deception and unfairness violations by Sears Holdings Management Corporation (Sears) has provided additionalThe Shifting Regulatory Focus support to question the validity of notice and consent.10Not surprisingly, with this change of focus in cross channel There also is questioning of whether it still makes sense tomarketing and more emphasis on the mobile marketing make a distinction between personally identifiable infor-channel, new privacy and data security considerations are mation and non-personally identifiable information.being raised by regulators and legislators. Over the last five The problem with eliminating notice and consent is that noto ten years, data breaches forced the focus of regulators on obvious replacement has yet to appear. There are, however,data security. During this time, however, companies were some consistent themes emerging. Regulators believe thatfiguring out how to make use of data that is collected and privacy policies are too complicated, too vague, and toowere creating a knowledge economy, which may ultimately long for consumers to understand. Further, if there is to bemake privacy an important non-price element of compe- consent, it must be informed consent. As implemented intition. The recent FTC workshops8 and proposed privacy the Sears consent decree, this requires disclosure of useslegislation9 indicate a shift back to a focus on privacy. of data and whether such data will be shared with thirdConcerns are being raised relating to new risks to privacy parties in a manner that is clear, conspicuous, and un-management, the user-generated nature of the Internet, avoidable when considering size, color, contrast, location,and the transition to ever-expanding marketing through duration, and must be readable and understandable. Themobile-based communication channels. The issues under task ahead is how to make disclosures clear and conspicu-consideration are changing the historic view of privacy. ous when moving from a 17” screen to a 2-4” screen on aQuestions are being asked as to the need for a new para- smartphone. As important will be how to make disclosuresdigm to match the fast-paced changes. Specific paradigms clear and conspicuous prior to a consumer downloading anthat are being questioned include notice and consent and application that collects and uses data about the consumerthe concept of personally identifiable information and through the smartphone. Suggestions so far include re-what that includes – all while trying to maintain the long placing privacy policies with a nutrition-type disclosure orstanding privacy principles of fair information practices: a recognizable icon to scroll over. Another approach beingnotice, choice, access, redress, and accountability. discussed is proportionality. This would suggest limiting the amount of data collected to avoid nefarious uses later,Currently, there are more questions than solutions. There and, as a result, limited collection would mean limited useis definite chatter that the concepts of notice and consent, and limited need for retention.and particularly privacy policies for the notice, may haveoutlived their usefulness. In the recent workshops, the There are also questions about the need for policies andFTC staff frequently cited a recent survey in which the notices to consumers to cover all information collected,majority of consumers believed a company with a privacy whether online or offline. Historically, retailers could lim-policy meant the company would not share information it privacy policies to only the information collected online. 17
  18. 18. The Secure Times VOLUME 5, NO. 1 | SPRING 2010But with the merging of offline and online through cross and legislators insist that the FTC investigate the privacychannel marketing, regulators are questioning whether gaffes that occurred when these were introduced. This hasthis model still works. For example, an online-only privacy led to an emphasis by the FTC on Privacy by Design – inpolicy does not address how retailers will have meaningful other words, build privacy into the development life cycleconversations with customers about these issues at their at the outset.stores. When considering disclosures required for credit, Accountability. Someone in the organization must havestate laws on return policies, tax issues, contract issues a 360 degree view across all channels and all brands. Pri-such as posting paycard association logos, there is little vacy governance models that are adopted must reflect thespace left at the point of sale to disclose more. And with all new cross channel world. This governance includes un-of the other disclosures, it is unlikely that customers will derstanding the technology being used by your companyread the postings. and its vendors and administering the necessary controls.There are also concerns over the concept of personally Data Minimization. This has been a long-standingidentifiable information, and whether PII can continue in principle, but the business imperative to enhance thea world where even anonymous data can be combined with economic incentives will turn this into a push/pull conver-enough other data to link it to email addresses, postal ad- sation. Someone will need to be there to make the correctdresses, names, and other information to initiate targeted decisions for the retailer.marketing. David Vladeck, the Director of the Consumer Transparency. Keep in mind that the privacy profes-Protection Bureau at the FTC, stated at the recent FTC sional will have a different understanding of this termprivacy workshops that the distinction between PII and than the marketing professional. The privacy view is toanonymous information is a thing of the past. Director have policies regarding collection and use visible, clear,Vladeck therefore believes the question is how to build in and conspicuous. The marketing group understanding oftransparency in clear and simple terms.11 As a result, the transparency is making it non-intrusive. Someone mustFTC appears to be moving away from PII and towards translate these differences and apply the risk/reward con-whether data can be tied to a person or device. This may tinuum to the conversation.lead to the possibility of including IP addresses as data thatshould be included in disclosures. All of this means that the “simple” job of the privacy officer is becoming more complex. Not only will there be a con-Conclusion tinuing need to understand and comply with numerousRetailers should take away four key messages with respect privacy obligations, but it will now be necessary to build ato privacy going forward: strong relationship between marketing and privacy. With the focal point of data security, privacy officers workedPrivacy by Design. The Facebook beacon and Google closely with the information security professionals in theirBuzz implementations are both examples of where priva- company who protect confidentiality. The new relation-cy considerations were not considered sufficiently before ships that must be built for the cross channel strategy willgoing public with these functions. Both privacy groups 18
  19. 19. The Secure Times VOLUME 5, NO. 1 | SPRING 2010involve a much more complex group than just informa- 5 The survey was conducted and reported by Retail Systems Research. The full results of this survey on “Building Trusttion technology. To allow the sharing of information, for and Growing the Brand: The Role of Privacy and Security inexample, this group will likely involve different members Retail 2010” can be found at http://www.retailsystemsresearch. com/_document/summary/1062, accessed on April 12, 2010.of information technology who are the database adminis- Of interest is that when the survey was taken in 2008, crosstrators. As retailers have begun to recognize, growing the channel agendas did not show up as a business opportunity, asbrand through this cross channel strategy requires that 74 percent had reduction of breach risk as their most important business opportunity and 59 percent stated PCI compliance asprivacy has an important seat at the table and it is the pri- the top priority.vacy professional who will need to act as the liaison among 6 See Massachusetts 201 CMR 17.00: Standards for the Protectionmarketing, finance, compliance, and technology. of Personal Information of Residents of the Commonwealth.Benita Kahn is partner a in the Columbus, Ohio office 7 See, for example, the recently announced FTC consent decree with Dave & Buster’s, available at http://www.ftc.gov/of Vorys, Sater, Seymour and Pease LLP, and a vice opa/2010/03/davebusters.shtm.chair of the ABA’s Privacy and Information Security 8 http://www.ftc.gov/bcp/workshops/privacyroundtables/;Committee (within the Section of Antitrust). She is Chair the series of day-long public roundtable discussions exploredof the Technology and Intellectual Property Group at the broader issues than just cross channel marketing issues of retailers and, in fact, addressed the vast array of 21st cen-firm and she concentrates her practice in privacy, data tury technology and business practices that collect and usesecurity, contract negotiations and drafting, consumer consumer data, such as social networking, cloud computing, online behavioral advertising, mobile marketing, data bro-protection issues, including technology and intellectual kers, third-party applications, and other diverse businesses;property matters and other new media advertising issues. accessed May 15, 2010. 9 See http://www.boucher.house.gov/index.php?option=com_ content&view=article&id=1957, for the May 4, 2010 releaseEndnotes of draft privacy legislation by Representatives Boucher and1 http://www.Internetworldstats.com/stats.htm, showing Stearns; accessed May 4, 2010. statistics from December 31, 2000 until December 31, 2009; 10 See Sears Holdings Management Corporation, FTC File No. 082 accessed May 15, 2010. 3099 (2009), available at http://www.ftc.gov/opa/2009/09/2 http://www.pewInternet.org/Reports/2010/Internet- sears.shtm. As noted in the press release, the FTC charged that broadband-and-cell-phone-statistics.aspx?r=1; accessed May Sears “failed to disclose adequately the scope of consumers’ 15, 2010. personal information it collected via a downloadable software application.” While Sears disclosed it would track online3 http://arstechnica.com/telecom/news/2010/03/wireless- browsing, it was only in a lengthy user license agreement, survey-91-of-americans-have-cell-phones.ars; of the 257 available to consumers at the end of a multi-step registration million data capable devices, 50 million are smartphones process that Sears further disclosed that the downloaded capable of more advanced wireless services than SMS, MMS, software would “also monitor consumers’ online secure and WAP browsing; accessed May 15, 2010 sessions – including sessions on third parties’ Web sites – and collect information transmitted in those sessions, such as4 http://www.apple.com/pr/library/2010/01/05appstore.html; the contents of shopping carts, online bank statements, drug accessed May 15, 2010 prescription records, video rental records, library borrowing histories, and the sender, recipient, subject, and size for web- based e-mails.” 11 See transcripts from FTC workshops available at http://www. ftc.gov/bcp/workshops/privacyroundtables/ 19

×