D. Reed Freeman, Jr. 202/ 342-8880 [email_address] PRIVACY AND INFORMATION SECURITY:  ENFORCEMENT TRENDS AND BEST PRACTICE...
Recent Trends in FTC and State Enforcement  <ul><li>Data Breach Notification </li></ul><ul><li>SPAM Enforcement </li></ul>...
Data Breach Notification <ul><li>34 states, 2 Territories and a City </li></ul><ul><ul><li>Different definitions of “perso...
Data Breach Notification (Cont’d) <ul><li>Single, Federal Rule this year ? </li></ul><ul><li>Some litigation even where no...
SPAM Enforcement <ul><li>7 Cases in 2006 </li></ul><ul><li>Civil penalties, consumer redress near $1 million  </li></ul><u...
Spyware  <ul><li>11 FTC and State Cases in 2006 </li></ul><ul><ul><li>E.g.,   Odysseus ,  Zango   </li></ul></ul><ul><ul><...
Telemarketing and Do Not Call <ul><li>9 Cases in 2006 </li></ul><ul><li>High priority for the FTC </li></ul><ul><li>Fines ...
Telemarketing and Do Not Call (Cont’d) <ul><li>FTC also aggressively using its  “assisting and facilitating”  authority ag...
Pretexting <ul><li>6 FTC cases involving pretexting for telephone records in 2006 </li></ul><ul><li>Increasing priority fo...
Information Security <ul><li>14 total cases through 2006; 4 major cases in 2006 </li></ul><ul><ul><li>Guidance Software  (...
Information Security <ul><li>Common FTC allegations in Information Security Cases (Cont’d) </li></ul><ul><ul><li>storing u...
Information Security (Cont’d) <ul><li>Latest data from Privacy Rights Clearinghouse </li></ul><ul><ul><li>February 5, 2005...
COPPA <ul><li>Status of the rule </li></ul><ul><ul><li>Rule kept as is on sliding scale approach </li></ul></ul><ul><li>Ca...
International Cooperation <ul><li>SAFE WEB Act </li></ul><ul><ul><li>Expanded information sharing with and from foreign la...
Liability for Acts and Practices of Business Partners <ul><li>Growing trend in FTC and state enforcement </li></ul><ul><li...
Placement of Privacy Disclosures <ul><li>Cases </li></ul><ul><ul><li>Odysseus </li></ul></ul><ul><ul><li>Zango </li></ul><...
Helpful Resources <ul><li>ABA Consumer Protection and Privacy and Information Security Committees </li></ul><ul><li>IAPP D...
Questions? Reed Freeman Lew  Rose John Villafranco 202 342.8821 202 342.8423 202 342.8880
Upcoming SlideShare
Loading in …5
×

Privacy and Information Security: Enforcement Trends and Best ...

491 views

Published on

0 Comments
0 Likes
Statistics
Notes
  • Be the first to comment

  • Be the first to like this

No Downloads
Views
Total views
491
On SlideShare
0
From Embeds
0
Number of Embeds
2
Actions
Shares
0
Downloads
7
Comments
0
Likes
0
Embeds 0
No embeds

No notes for slide

Privacy and Information Security: Enforcement Trends and Best ...

  1. 1. D. Reed Freeman, Jr. 202/ 342-8880 [email_address] PRIVACY AND INFORMATION SECURITY: ENFORCEMENT TRENDS AND BEST PRACTICES ABA Consumer Protection Conference January 29, 2007
  2. 2. Recent Trends in FTC and State Enforcement <ul><li>Data Breach Notification </li></ul><ul><li>SPAM Enforcement </li></ul><ul><li>Spyware </li></ul><ul><li>Telemarketing and Do-Not-Call </li></ul><ul><li>Pretexting </li></ul><ul><li>Information Security </li></ul><ul><li>COPPA </li></ul><ul><li>International Cooperation </li></ul><ul><li>Liability for Acts and Practices of Business Partners </li></ul><ul><li>Placement of Privacy Disclosures </li></ul>
  3. 3. Data Breach Notification <ul><li>34 states, 2 Territories and a City </li></ul><ul><ul><li>Different definitions of “personal Information” </li></ul></ul><ul><ul><li>28 states have a safe harbor for encrypted data </li></ul></ul><ul><ul><li>12 states have a safe harbor for no reasonable likelihood of injury, harm, loss, or risk </li></ul></ul><ul><ul><li>Different timing, content, and recipients for notices </li></ul></ul><ul><ul><ul><li>7 states require regulator notice </li></ul></ul></ul><ul><ul><ul><li>20 states require CRA notice </li></ul></ul></ul><ul><ul><li>Different enforcement mechanisms: 14 states allow a private right of action </li></ul></ul>
  4. 4. Data Breach Notification (Cont’d) <ul><li>Single, Federal Rule this year ? </li></ul><ul><li>Some litigation even where no law on the books </li></ul><ul><ul><li>Oregon -- Providence Health System-Oregon </li></ul></ul><ul><ul><li>AVC available at http://www.doj.state.or.us/media/pdf/finfraud_providence_avc.pdf </li></ul></ul>
  5. 5. SPAM Enforcement <ul><li>7 Cases in 2006 </li></ul><ul><li>Civil penalties, consumer redress near $1 million </li></ul><ul><li>Number of cases and dollar amounts increasing </li></ul><ul><li>Recent trend in holding email marketers liable for email activities of affiliates </li></ul><ul><ul><li>FTC v. Global Net : Due diligence before entering into affiliate relationships; monitoring during relationship </li></ul></ul><ul><ul><li>Settlement at: http://www.ftc.gov/os/caselist/0423168/051116stip0423168.pdf </li></ul></ul><ul><li>Focus tends to be on deceptive subject lines, from lines, effective opt-out mechanisms, unauthorized relays, disclosure that the email is an advertisement, and failure to display a physical address </li></ul><ul><li>Practice Tip : Yesmail case and filtering opt-out requests by email. </li></ul><ul><ul><li>Settlement at: http://www.ftc.gov/os/caselist/0623002/061024yesmailstipfnl.pdf </li></ul></ul>
  6. 6. Spyware <ul><li>11 FTC and State Cases in 2006 </li></ul><ul><ul><li>E.g., Odysseus , Zango </li></ul></ul><ul><ul><li>Stipulated Interim order in Movieland (January 12, 2007) </li></ul></ul><ul><ul><li>New York AG case against Direct Revenue </li></ul></ul><ul><ul><li>Washington AG High Falls Media , Secure Computer cases </li></ul></ul><ul><li>Attention to placement and proximity of privacy disclosures; effect of software on consumers’ computers; uninstall mechanisms </li></ul><ul><li>FTC chairman’s speech and cases suggest that “critical” information should be disclosed clearly and conspicuously </li></ul><ul><li>Fines increasing – up to $3 and $4 million </li></ul><ul><li>Injunctive relief includes affiliate marketing restrictions similar to those in spam cases </li></ul><ul><li>Implications and practice tips for all companies offering software downloads </li></ul>
  7. 7. Telemarketing and Do Not Call <ul><li>9 Cases in 2006 </li></ul><ul><li>High priority for the FTC </li></ul><ul><li>Fines going up: Do-not-call settlements as much as $5.3 million </li></ul><ul><ul><li>Latest do-not call settlement : $100,000 with DirecTV telemarketing vendors (December 14, 2006) </li></ul></ul><ul><li>Do-not-call cases often focus on facts specific to existing business relationship with consumers and entity-specific do-not-call lists </li></ul>
  8. 8. Telemarketing and Do Not Call (Cont’d) <ul><li>FTC also aggressively using its “assisting and facilitating” authority against : </li></ul><ul><ul><li>payment processors </li></ul></ul><ul><ul><li>partners that set up of sham corporations </li></ul></ul><ul><ul><li>list providers </li></ul></ul><ul><ul><li>fulfillment houses </li></ul></ul><ul><ul><li>Most recent case: Global Marketing Group, et al. (December 20, 2006) (payment processor in advanced fee loan case) </li></ul></ul><ul><li>Prerecorded calls : FTC announced it will continue to forbear enforcement of call abandonment provisions in connection with prerecorded calls to consumers with whom seller has an established business relationship until end of its prerecorded call abandonment proceeding (December 18, 2006) </li></ul>
  9. 9. Pretexting <ul><li>6 FTC cases involving pretexting for telephone records in 2006 </li></ul><ul><li>Increasing priority for FTC and States </li></ul><ul><ul><li>HP Settlement -- $14.5 million </li></ul></ul><ul><ul><li>Complaint and Settlement available at: http://ag.ca.gov/newsalerts/release.php?id=1394&PHPSESSID=03f57f9da61374df31606e0393aac4c8 </li></ul></ul><ul><li>New Telephone Records and Privacy Protection Act of 2006 . </li></ul><ul><ul><li>Illegal to obtain a person’s telephone records without authorization </li></ul></ul><ul><ul><li>Penalties: Up to 10 years in prison; up to $500,000 fine </li></ul></ul><ul><li>Reverse liability? -- Potential liability for corporate victims of pretexting </li></ul>
  10. 10. Information Security <ul><li>14 total cases through 2006; 4 major cases in 2006 </li></ul><ul><ul><li>Guidance Software (deception) </li></ul></ul><ul><ul><li>ChoicePoint (FCRA, unfairness, deception); (redress program announced December 6, 2006) </li></ul></ul><ul><ul><li>Card Systems (unfairness) </li></ul></ul><ul><ul><li>DSW (unfairness) </li></ul></ul><ul><li>Common factual allegations : </li></ul><ul><ul><li>failing to protect against “Structured Query Language” attacks by implementing simple, low cost, and readily available defenses to SQL attacks; </li></ul></ul><ul><ul><li>storing sensitive information in clear, readable, unencrypted text that could be accessed through commonly known IDs and passwords; </li></ul></ul>
  11. 11. Information Security <ul><li>Common FTC allegations in Information Security Cases (Cont’d) </li></ul><ul><ul><li>storing user credentials in readable text, facilitating unauthorized access (failing to use strong passwords); </li></ul></ul><ul><ul><li>failing to monitor and control connections to the network, including through wireless connections; </li></ul></ul><ul><ul><li>failing to employ sufficient measures to detect unauthorized access to sensitive personal information; </li></ul></ul><ul><ul><li>failing to authenticate recipients of sensitive personal information; </li></ul></ul><ul><ul><li>storing sensitive information for longer than necessary; and </li></ul></ul><ul><ul><li>Failing to conduct security investigations or audits. </li></ul></ul>
  12. 12. Information Security (Cont’d) <ul><li>Latest data from Privacy Rights Clearinghouse </li></ul><ul><ul><li>February 5, 2005 - January 24, 2007 </li></ul></ul><ul><ul><ul><li>100,738,417 records subject to breach </li></ul></ul></ul><ul><ul><ul><li>455 reported incidents </li></ul></ul></ul><ul><li>GLB Safeguards Rule and its application on beyond financial institutions </li></ul><ul><li>FTC guidance and best practices </li></ul><ul><ul><li>See http://www.ftc.gov/bcp/conline/pubs/buspubs/safeguards.htm </li></ul></ul>
  13. 13. COPPA <ul><li>Status of the rule </li></ul><ul><ul><li>Rule kept as is on sliding scale approach </li></ul></ul><ul><li>Cases </li></ul><ul><ul><li>FTC got its biggest fine ever -- $1 million, in Xanga case </li></ul></ul><ul><ul><li>Complaint and consent decree available at: http://www.ftc.gov/opa/2006/09/xanga.htm </li></ul></ul><ul><ul><li>Practice tip : When collecting date of birth as required by COPPA, make sure your back-end systems use it! </li></ul></ul><ul><li>New implications for social networking sites </li></ul>
  14. 14. International Cooperation <ul><li>SAFE WEB Act </li></ul><ul><ul><li>Expanded information sharing with and from foreign law enforcers </li></ul></ul><ul><ul><li>Expanded investigative cooperation with foreign law enforcers </li></ul></ul><ul><ul><ul><li>Allows FTC to conduct investigations on behalf of foreign law enforcement authorities in appropriate cases -- scope yet to be determined </li></ul></ul></ul><ul><ul><li>FTC remedial authority in cross-border cases </li></ul></ul><ul><ul><li>Clarifying FTC authority to make criminal referrals </li></ul></ul><ul><ul><li>Allows for foreign staff exchange programs </li></ul></ul>
  15. 15. Liability for Acts and Practices of Business Partners <ul><li>Growing trend in FTC and state enforcement </li></ul><ul><li>Cases </li></ul><ul><ul><li>Email marketing </li></ul></ul><ul><ul><li>Telemarketing </li></ul></ul><ul><ul><li>Spyware </li></ul></ul><ul><ul><li>Rebates </li></ul></ul><ul><ul><li>Information security next? </li></ul></ul><ul><li>Fundamental principles: due diligence and monitoring </li></ul>
  16. 16. Placement of Privacy Disclosures <ul><li>Cases </li></ul><ul><ul><li>Odysseus </li></ul></ul><ul><ul><li>Zango </li></ul></ul><ul><ul><li>Advertising.com </li></ul></ul><ul><ul><li>Enternet Media </li></ul></ul><ul><ul><li>Washington v. High Falls Media </li></ul></ul><ul><ul><li>Recent case in negative option context: Think All Publishing (January 25, 2007) </li></ul></ul><ul><li>Implication for online and offline industries generally </li></ul>
  17. 17. Helpful Resources <ul><li>ABA Consumer Protection and Privacy and Information Security Committees </li></ul><ul><li>IAPP Daily Dashboard </li></ul><ul><li>DM News </li></ul><ul><li>BNA Internet Law News </li></ul><ul><li>MediaPost </li></ul><ul><li>Your own complaints </li></ul>
  18. 18. Questions? Reed Freeman Lew Rose John Villafranco 202 342.8821 202 342.8423 202 342.8880

×