Presented at NetDiligence Cyber Risk & Privacy Liability Forum in Santa Monica, Calif., Oct. 8-9, 2014.

1. NetDiligence®
Cyber Risk & Privacy
Liability Forum
October 8-9, 2014
1

2. Big Data &
Wrongful Collection
2

3. Speakers
Lincoln Bandlow
moderator
Partner
Lathrop & Gage LLP
Los Angeles,
California
Dominique Shelton
Partner
Alston & Bird LLP
Los Angeles,
California
Emily Tabatabai
Privacy Attorney
Orrick, Herrington &
Sutcliffe LLP
Washington, D.C.
Christina Tusan
Attorney
Federal Trade
Commission
3

4. Five Big Data Reports in May 2014
• May 1, 2014 - White House release Big Data led by John Podesta. See, Executive Office of the President, Big
Data: Seizing Opportunities, Preserving Values (Executive Office of the President, May 1,2014).
• May 1, 2014: White House releases technological feasibility Big Data report. See, President’s Council of
Advisors on Science and Technology, Big Data and Privacy: A Technological Perspective (the “PCAST Report).
• May 15, 2014: The Senate released a report on malware. Senate Permanent Subcommittee on
Investigations, “Online Advertising and Hidden Hazards to Consumer Security and Data Privacy (May 15,
2014).
• May 21, 2014: CA AG came out with her report on privacy policies See, Att’y Gen. Kamala D. Harris, Making
Your Privacy Practices Public: Recommendations on Developing a Meaningful Privacy Policy, (Cal. Dep’t of
Justice, May 21, 2014), available at http://tinyurl.com/CAAGMakingYourPrivacyPractices .
• May 27, 2014: Data Broker report. See, F.T.C., Data Brokers: A Call for Transparency and Accountability (May
27, 2014).
4

5. May 2014 Reports
5

6. Takeaways
• The Senate, FTC and CA AG are focused on “Big Data” and
behavioral tracking in particular.
• There is a renewed focus on transparency. Regulators are
concerned that consumers don’t understand the advertising/data-broker
ecosystem (i.e., the number of trackers on websites and
mobile apps).
• Use of internal data-tagging can provide a method for companies to
access to Big Data within companies.
• New laws will be proposed.
• FTC will be using Section 5 of the FTC Act to enforce.
6

7. Behavioral Tracking Class Actions
(Privacy Claims under The Electronic
Communications Privacy, Stored
Communications Act and Wiretap Act)
7

8. How Big are “Do Not Track” Class Actions?
– 195 Do Not Track class actions have been filed in the past 36
months, and 12 mobile app class actions have been filed in the past
eight months.
– On June 11, 2013, the largest privacy class action was affirmed by
the 7th Circuit – 1 billion exposure based on behavioral tracking.
– The plaintiffs’ bar is focusing on privacy class actions.
– The FTC has increased its enforcement activity.
– Based upon global and U.S. trends, more focus on privacy and
tracking will occur in 2014.
8

9. Do Not Track Cases
Washington - 3
Montana - 2
California - 108 Arizona - 1
Colorado - 1
Minnesota- 1
Wisconsin - 1
Illinois - 8
Missouri - 4
Arkansas - 17
Louisiana - 1
Texas - 6
Alabama - 2
Michigan- 1 Rhode Island - 1
Georgia - 4
Florida - 4
Ohio - 1
Tennessee - 1
Delaware - 2
N. Carolina - 1
New York - 13
Massachusetts - 2
Virginia - 1
Maryland- 1
Connecticut - 2
New Jersey - 2
Pennsylvania - 1
Puerto Rico - 1
District of Columbia - 2
9

10. How Many Big Data Companies Have Been Named?
– 121 Companies (62% of the 195 actions) have included Big Data companies – e.g., data
analytics, ad networks, exchanges, mobile marketing).
– Software company Carrier IQ (67 class actions).
– Analytic Companies: (32 class actions)
• Google (24 class actions)
• Other analytic companies(e.g., Kissmetrics, Flurry, Millenial Media, comScore) (8 class
actions)
– Ad Networks and Ad Exchanges(21 class actions)
• Quantcast, Clearspring, Mobile Ringleader (no defunct), Traffic Marketplace, Interclick,
Mob Clix, quattro, Admob, PulsePoint
– Cloud: Amazon (1) class action.
10

11. “Do Not Track” Typical Class Action Claims
11

12. Harris v. comScore
• Plaintiffs alleged tracking based upon downloads
of bundled software that did not disclose tracking
technologies or comScore’s name.
• Plaintiffs alleged inadequate privacy disclosures.
• Sought to certify 10 million user class at $10,000
statutory damages under the stored
communications act.
12

13. Harris v. comScore
• Key takeaways:
– Court held common questions of fact and law
predominated.
– Plaintiffs could self-identify to become members of the
class – Note: This is highly unusual and rarely permitted.
– Emails contained in comScore’s records were considered
sufficient to ascertain class members.
Harris v. comScore, Inc., 292 F.R.D. 579 (N.D. Ill. 2013).
13

14. Harris v. comScore: June 11, 2013,
7th Cir. Affirms Certification of -1 Billion Class
14

15. Harris v. comScore $1 billion exposure
settled May 30, 2014 for $14 million
15

16. In re Zynga Privacy Litig.,
2014 U.S. App. Lexis 8662 (9th Cir. May 8, 2014)
• The Ninth Circuit affirmed the Northern District of California’s dismissal of two putative class actions
alleging Facebook Inc. and Zynga Game Network Inc. improperly shared consumers' personal information
with advertisers, finding the social network giant and the gaming company didn’t disclose the contents of
communications.
• Plaintiffs claimed that Facebook and Zynga claims violated the Wiretap Act and Stored Communications
Act by sharing referer headings (that included user ids and the web pages viewed by the user with
advertisers and other web analytic companies).
• The Stored Communications Act says that a service provider may divulge records and other information
pertaining to a customer, but may not divulge the contents of communications, the opinion said. Customer
record information including the customer’s name, address and subscriber number, does not qualify as
contents under the federal law.
• The Ninth Circuit upheld the dismissal of the two class actions that alleged violations of the Wiretap Act
and the Stored Communications Act — sections of the Electronic Communications Privacy Act — ruling
that the plaintiffs failed to state a claim because they didn’t allege that either Facebook or Zynga disclosed
the “contents” of a communication, a necessary element of their ECPA claims, according to the opinion.
• Takeaway: No liability under ECPA for sharing referer headers alone with third parties.
16

17. Find Out What Data You Are Collecting
Because the Plaintiff’s Bar Is!
Consider a tool like Ghostery - basic license is free
17

18. Video Privacy Protection Act (“VPPA”)
18

19. VPPA Background
• The VPPA prohibits disclosure of personally
identifiable information (“PII”), including
information identifying a person as
requesting or obtaining specific video
material. 18 U.S.C. § 2710, et seq.
• The VPPA does not define PII directly,
stating that it “includes information which
identifies a person as having requested or
obtained specific video materials or
services from a video tape service
provider.” 18 U.S.C. § 2710(a)(3). This
includes information shared with vendors,
including subject matter categories. Some
vendors argue that generic categories (e.g.,
“likes sports”) are not PII.
19

20. VPPA Background
• VPPA defines “video tape service provider” to mean “any person,
engaged in the business, in or affecting interstate or foreign commerce,
of rental, sale, or delivery of prerecorded video cassette tapes or
similar audio visual materials…” 18 U.S.C. § 2710(a)(4).
• VPPA defines the term “consumer” to mean
“any renter, purchaser, or subscriber of
goods or services from a video tape
service provider.” 18 U.S.C. § 2710(a)(1).
20

21. 2012 VPPA Amendment
• The VPPA was amended in December 2012 to allow video service providers to obtain consent
electronically over the internet for a 2-year advance period with certain requirements. It
requires a separate consent (outside of a Terms of Use and Privacy Policy).
• Section 2710(b)(2)(B) was amended to permit electronic consent. Video Service Providers can
share information with the user’s informed consent as follows:
– written consent that
• Is in a form distinct and separate from any form setting forth other legal or financial
obligations of the consumer;
• At the election of the consumer;
• Is given at the time the disclosure is sought; or
• Is given in advance for a set period of time, not to exceed 2 years or until consent is
withdrawn by the consumer, whichever is sooner and
– the video tape service provider has provided an opportunity, in a clear and
conspicuous manner, for the consumer to withdraw on a case-by-case basis or
to withdraw from ongoing disclosures, at the consumer's election.
21

22. In re Hulu Privacy Litigation Background
• Case filed in 2011.
• August 2012: Two motions to dismiss based on lack of
harm and other statutory defenses failed.
• December 2013: Hulu’s motion for summary judgment
based upon lack of harm failed.
• April 28, 2014: Hulu’s motion for summary judgment re: no
disclosures of PII under the VPPA granted as to comScore
claims, denied as to Facebook.
22

23. April 28, 2014, Hulu Court dismisses Plaintiff’s comScore
claims but denies MSJ as to Facebook
• Takeaways:
– Unique identifiers plus specific titles to data analytics firm – not
a disclosure of PII under the VPPA
– Facebook ID + specific video titles may be PII if Hulu knew that
cookies provided this data before user hit the “Like” button.
– Metrics and advertising not “incident to the ordinary course of
business”
– Dicta: Unique identifiers depending on context could be PII
under VPPA – just not in this case.
23

24. In re Hulu Privacy Litigation: Motion for Class
Certification Denied (June 17, 2014)
• Plaintiffs sought to certify a Facebook class:
– All Hulu and Facebook users that involved disclosures of Facebook’s
c_user cookie (i.e., Facebook cookie that relays information to
Facebook for users that have checked the box to always stay logged
into Facebook and use the same browser to access Hulu).
• Court denied class, without prejudice. Class not ascertainable.
24

25. In re Nickelodeon Consumer Privacy Litig.,
(D.N.J. July 2, 2014) (granting motion to dismiss)
• The claims were against Google and Viacom for data collected
through the Nickelodeon and other Viacom Apps. Google not a
VTSP – all claims dismissed.
• Viacom only disclosed “anonymous information” ( e.g., “anonymous
username; IP address; browser setting; ‘unique device identifier’;
operating system; screen resolution; browser version). Not PII
under the VPPA.
• Leave to amend granted for VPPA claim and intrusion upon
seclusion against Viacom. Wiretap and SCA claims dismissed with
prejudice.
25

26. More VPPA Case to Come
• Six VPPA Class Action Lawsuits were filed in February –September 2014:
– February 17, 2014: Perry v. Cable News Network, Inc. et al., No. 1:14-cv-1194 (N.D. Ill.): On August 25, 2014, the
United States District Court for the Northern District of Illinois entered an order transferring this case to the United
States District Court for the Northern District of Georgia based upon the stipulation of the parties. The order was
executed on September 12, 2014.
– February 19, 2014: Ellis v. The Cartoon Network Inc., No. 1:14-cv-00484,(N.D. Ga): On June 6, 2014, The Cartoon
Network filed a motion to dismiss on the grounds that (1) the disclosure of a serial number for a machine alone is not
PII under the VPPA; (2) the VPPA does not apply because the plaintiff is not a “consumer” as defined by the VPPA; and
(3) the plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet
been set.
– March 13, 2014: Locklear v. Dow Jones, No. Case 1:14-mi-99999-UNA (N.D. Ga): On June 23, 2014, Dow Jones filed a
motion to dismiss, on the grounds that (1) the disclosure of a serial number for a machine alone is not PII under the
VPPA; (2) the VPPA does not apply because the plaintiff is not a “consumer” as defined by the VPPA; and (3) the
plaintiff did not allege that he has suffered any injury. The motion is fully briefed, but a hearing has not yet been set.
26

27. More VPPA Case to Come
– March 28, 2014: Eichenberger v. ESPN, No. 2:14-cv-00463 (W.D. Washington): On July 31,
2014, ESPN filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege any
disclosure of PII and (2) that plaintiff is not a “consumer” under the VPPA. The motion is fully
briefed, but a hearing has not yet been set.
– June 9, 2014: Robinson v. Disney, No. 14-cv-4146 (S.D. N.Y.): On August 23, 2014, plaintiffs
filed an amended complaint to properly name the Disney entity sued. On September 12,
2014, Disney filed a motion to dismiss, on the grounds that (1) plaintiff failed to allege any
disclosure of PII and (2) that plaintiff is not a “consumer” under the VPPA. Disney has
requested oral argument, but a hearing has not yet been set.
– August 22, 2014: Austin-Spearman v. AMC Network Entertainment LLC, No. 14-cv-6840 (S.D.
N.Y.): On September 15, 2014, the court entered an order extending the time for AMC to
answer or move to dismiss the complaint until October 23, 2014.
27

28. VPPA Cases Filed in February – September 2014
28

29. VPPA Compliance: Degrees of Risk
Keep video titles in referrer headers and use plugins that have tracking capabilities.
Use a landing page similar to Netflix to obtain user consent electronically.
Use subject matter of video in referrer headers (e.g., engineering, transport, shipping).
Obtain “informed written consent” per the VPPA.
Do not use titles of videos in referrer headers.
Do not use social networking plug-ins.
29

30. Takeaways
• Plaintiffs’ bar are attracted to privacy claims that
carry statutory damages.
• They have been able to overcome motions to
dismiss based on lack of Article III standing by
alleging statutory violations.
• More litigation is likely to follow.
30

31. Text Messaging Campaigns
Telephone Consumer Protection Act Risks and
Mini-State TCPAs
31

32. FCC New Regulations Effective October 16, 2013
• Prior express written consent is needed before
commercial telemarketing texts may be sent.
– User must agree to receive autodialed text messages
and evidence understanding that agreement is not a
condition of using the service. 47 C.F.R. 64.1200
– TCPA Class actions were up 70% last year. According
to InsideARM 785 TCPA cases filed in 2012; 1385 filed
in 2013.
32

33. Mobile
Privacy Disclosures and Security
33

34. Regulatory Initiatives Regarding Mobile Apps
34

35. Regulatory Initiatives Regarding Mobile Apps
CA AG, FTC and EU Article 29 Working Group Guidance
35

36. Regulatory Initiatives Regarding Mobile Apps
Five Mobile Guidances Were Released in 2013:
All Call for Just in Time/Short Form Notice
• CA AG Guidance – issued 1/10/2013
• FTC Guidance – issued 2/1/2013
• Article 29 Working Group – issued 3/2013
• NTIA Guidance – issued 7/ 2013
• DAA Guidance – issued 7/2013
• Just in Time/Short Form Notice: Notice for collection of sensitive data must be
“Just in Time,” in short form, above and beyond the privacy policy.
• PII: includes unique identifiers.
36

37. In re Fandango
(FTC Announced Settlement March 28, 2014)
• Failure to secure mobile app credit card information.
• Alleged unreasonable security for failure to
– Validate Secured Socket Layer (SSL) to prevent intervention
by hackers when users used open networks.
– Provide sufficient protection for data while at rest.
37

38. Practice Pointer: Focus on “Readability”
• Use icons – California AG and FTC
recommend it.
– See e.g., CA AG Making Your Privacy Practices
Public at p. 10
– See also,
• CA AG Privacy on the Go at p. 11
(“Graphics or icons can help users to
easily recognize privacy practices and
settings”);
• FTC, Mobile Privacy Disclosures at p.
17 (“Consider developing icons to
depict the transmission of user data”) ;
and
• FTC Protecting Consumer Privacy in an
Era of Rapid Change at p. 62 (“… icons
… show promise as tools to give
consumers the ability to compare
privacy practices among different
companies)
38

39. EU “Cookie” Directive
More than just cookies
39

40. EU Cookie Rules
• A separate EU directive governs the collection and use of personal
data through the use of cookies and similar technologies
• Like the data protection national laws, the cookie national laws are
broadly similar across the EU, although there are some divergences
• The EU cookie rules require website operators to:
– provide clear notice about cookies and their purposes; and
– obtain users’ consent to cookies,
before any cookies are set
40

41. EU ePrivacy Directive
• Not limited to cookies!
• No distinction between types of technologies used
to store or retrieve information on users’ devices
(e.g., cookies, web beacons, flash cookies, GIFs)
– No distinction between different types of cookies (e.g.,
functionality, performance, targeting), with the exception
of cookies deemed “strictly necessary”
41

42. Cookie Categories
42

43. Prominent Pop-Up Notices
• A pop-up notice that explains that cookies are used and provides a link to more
information.
• May (or may not) request that the user consents to the website’s use of
cookies.
(source: Everything Everywhere)
43

44. Banner Notices
• A banner that informs users that cookies are used, and provides a link to further
information on those cookies.
(source: NatWest)
44

45. Practical Guidance
1 2 3 4 5
• Local Terms
• Global Terms
• Managing Consent
Audit
Managing Compliance
Governance Security Train regarding
your policies
Involve All
Related
Players
Repeat
♦ How is Big Data
being used?
♦ Risk Avoidance and
Mitigation
♦ Protocols
♦ Policies
♦ Procedures
♦ Compliance with
laws and companies
best practices
♦ Technological
♦ Policy
45

46. Big Data Risks
• Alienating customer / brand degradation
– 89% of internet users have stopped using a website over privacy concerns
– “creepy”
– data collection is unexpected or depth of analysis is unanticipated
• “Personalization” of content can lead to discrimination
• Aggregated data may not be anonymous after all
46

47. Big Data Quality Risks
• Working with stale data
– location data gets stale quickly
– data point may be relevant only for small period of time
• Algorithms are not infallible
– you may be relying on inaccurate conclusions
• Data cannot be verified by data subject
– data subjects may not be able to confirm, modify, review or even access data
47

48. Legal Risks of Big Data
• Transparency and notice
– Difficulty of providing effective notice
– Companies often collect data before they have real understanding of how they will use it
– Onward transfers; first party versus third party
• Consent and choice
– Data subjects lack understanding of the implications of consent
– May have no opportunity to opt-out
• Security
48

49. Risks of Collecting Sensitive Data
• Loss of data could trigger state data breach notification laws
– Credit card, bank account, Social Security Numbers, driver’s license numbers
• Children’s data
– COPPA
– FERPA
– State laws re: marketing to children
• Health data
49

50. Industry-Specific Risks
• Educational technology sector
– 36 states introduced legislation to curb collection of student data this year
• Financial institutions
– GLBA
• Credit and employment screening
– FCRA
50

51. FTC Background
• Who are we?
• What is data security?
51

52. FTC Act Fundamentals
• Section 5 of the Federal Trade Commission Act broadly prohibits “unfair
or deceptive acts or practices in or affecting commerce.”
– Deception  a material representation or omission that is likely to mislead
consumers acting reasonably under the circumstances
– Unfairness  practices that cause or are likely to cause substantial injury to
consumers not reasonably outweighed by countervailing benefits to
consumers or competition.
• Flexible law that can be applied to many different situations, entities,
and technologies
52

53. FTC Act
• To comply, you should:
– Handle consumer information in a way that's
consistent with your promises.
– Avoid practices that create an unreasonable risk
of harm to consumer data.
53

54. FTC Background: Authority
Other statutes and rules apply in particular circumstances:
Safeguards Rule (implements
Gramm-Leach-Bliley Act)
“Financial Institutions” must ensure the security and
confidentiality of sensitive customer information.
Fair Credit Reporting Act
(FCRA)
Requires specific handling and reporting when using
data for certain purposes (e.g., offering credit, hiring)
Red Flags Rule Financial institutions/certain creditors must
implement program to detect identity theft “red flags.”
Children’s Online Privacy
Protection Act (COPPA)
Requires reasonable security for information
collected from children online.
54

55. FTC Data Security
Law Enforcement
55

56. 56

57. Law Enforcement: Guiding Principles
• Security must be reasonable and appropriate in light of
the circumstances.
• Breach doesn’t necessarily = lack of reasonable security.
• BUT no breach doesn’t necessarily = reasonable security.
• Data security is an ongoing process.
57

58. Some Common Privacy Failures
• Rolling out a new service or feature that increases sharing
without adequate notice and consent
• Misrepresenting with whom data is being shared
• Misrepresentations about tracking and opting out of
tracking
• Presenting false choices
58

59. Law Enforcement: Section 5 Deception
• Fandango and Credit Karma (2014): mobile security
• GeneWize (2013): oversight of service providers
• PLS Financial Services Inc. (2012): proper disposal and
training
• Goal Financial LLC (2008): data security policies
59

60. Law Enforcement: Section 5 Unfairness
• GMR Transcription Services (2014): oversight of service
providers
• Accretive Health Inc. (2013): laptop security; improper
access
• Ceridian Corporation (2011): service providers liable
60

61. Recent Settlement: Accretive Health (2013)
• Alleged that respondent failed to take reasonable and
appropriate measures to prevent against unauthorized access.
• Among other things:
– Transported laptops containing PII in manner that made them
vulnerable to theft/misappropriation;
– Not adequately restrict access to PII based on employee's need
for info.;
– Didn't ensure that employees removed PII from computers for
which no longer had business need;
– Used consumers' PII in training sessions without ensuring that
this PII was removed from employees' computers after training.
61

62. Recent Settlement: Trendnet (2013)
• Alleged that respondent failed to provide reasonable security to prevent unauthorized access to the
live feeds from its IP cameras, which respondent offered to consumers for the purpose of
monitoring and securing private areas of their homes and businesses.
• Among other things:
– Transmitted user login credentials in readable text, even though have free software that can
secure such transmissions.
– Stored login credentials in readable text on user's mobile device, even though have free
software to secure these credentials.
– Failed to implement process to monitor security vulnerability reports from third-party
researchers, etc.
– Failed to employ reasonable and appropriate security in design/testing of IP software. Failed
to: (i) perform security review/testing of software at key points; (ii) implement reasonable
guidance/training for any employees responsible for security.
62

63. Recent Settlement: HTC (2013)
• Alleged that respondent failed to employ reasonable and appropriate security practices
in the design or customization of the software on its mobile devices.
• Among other things:
– Failed to implement adequate program to assess the security of products it
shipped to consumers.
– Failed to implement adequate privacy and security guidelines/training for its
engineering staff.
– Failed to conduct assessments, etc. to identify potential security vulnerabilities in
its mobile devices.
– Failed to follow well-known and commonly-accepted secure programming
practices.
– Failed to implement a process for receiving and addressing security vulnerability
reports from third-party researchers, etc.
63

64. Deceptive Privacy & Security Claims
• The FTC has brought cases against companies that
misrepresented their privacy & security procedures.
• Companies claimed to have strong procedures in place to
protect the information they collected. In fact, the
companies failed to anticipate or address substantial and
well-known security risks.
64

65. Deceptive Privacy & Security Promises
• Google
– Deceived consumers by using info collected from Gmail users to
generate and populate a new social network, Google Buzz, despite
claims to the contrary
– FTC charged that Gmail users’ associations with their frequent email
contacts became public without the users’ consent
– Order requires Google to implement a comprehensive privacy program
and conduct biennial audits for the next 20 years; provide affirmative
express consent for any change to a product or service that makes
consumer info more widely available
65

66. Deceptive Privacy & Security Promises
• Twitter
– Provided privacy controls to users to keep private “tweets” and
nonpublic user info – including mobile phone numbers – private
– However, because of serious lapses in security, hackers obtained
unauthorized administrative control of Twitter, accessed private info,
and took over user accounts
– Order prohibits misrepresentations about the extent to which Twitter
protects the privacy of communications, requires reasonable security,
and mandates independent, comprehensive security audits
66

67. Fair Credit Reporting Act (FCRA)
• Credit transactions are extremely common in the U.S.
• Consumer reporting agencies collect public record info
(judgments, tax liens, criminal records), credit info,
employment info--both positive and negative
• The information is sensitive and subject to strict
privacy protections under the FCRA
67

68. Fair Credit Reporting Act (FCRA)
• Allows sharing of consumer information by consumer reporting
agency only if such sharing serves a permissible purpose.
• Permissible purpose generally
– Credit transaction
– Insurance
– Employment (with consent)
– Other uses with written consent of consumer
• Requires CRAs to maintain reasonable procedures to ensure
that users have a permissible purpose
68

69. Fair Credit Reporting Act (FCRA)
• Truncation rule: Requires that electronically printed
credit and debit card receipts must shorten -- or truncate
-- the account information. You may include no more
than the last five digits of the card number, and you must
delete the card’s expiration date.
69

70. Fair Credit Reporting Act (FCRA)
• Disposal rule: Requires anyone who obtains consumer report
information to use "reasonable" measures when disposing of it.
• Burn, pulverize, or shred papers and destroy or erase electronic files or
media containing consumer report information so they cannot be read or
reconstructed
• Service Providers/Third Parties:
– Contracts with record owners
– Direct liability as record owners through provision of service directly
to a person subject to the Rule.
– Contracting with legitimate document destruction companies,
outside records retention managers.
– Due diligence
70

71. Case Example: ChoicePoint, Inc.
• The FTC alleged that ChoicePoint failed to use
reasonable procedures to screen prospective
subscribers and monitor their access to sensitive
consumer data
• These failures allowed identity thieves posing as
legitimate businesses to obtain access to the personal
information of many consumers
• At least 800 cases of identity theft arose out of these
incidents.
71

72. Case Example: ChoicePoint, Inc.
• Record $10 million civil penalty for violations of the FCRA
• $5 million in consumer redress for identity theft victims
• Significant injunctive provisions
72

73. Case Example: Spokeo
• Spokeo collected personal information about consumers from hundreds of online and
offline data sources, including social networks. It merges the data to create detailed
personal profiles of consumers.
• The FTC alleged that Spokeo operated as a consumer reporting agency and violated the
FCRA by failing to make sure that the information it sold would be used only for legally
permissible purposes; failing to ensure the information was accurate; and failing to tell
users of its consumer reports about their obligation under the FCRA, including the
requirement to notify consumers if the user took an adverse action against the
consumer based on information contained in the consumer report.
• The FTC alleged that Spokeo deceptively posted endorsements of their service on news
and technology websites and blogs, portraying the endorsements as independent when
in reality they were created by Spokeo's own employees.
73

74. Case Example: Spokeo
• Settlement imposed an $800,000 civil penalty
• Settlement bars Spokeo from future violations of the
FCRA, and bars the company from making
misrepresentations about its endorsements or failing to
disclose a material connection with endorsers
74

75. Case Example: T-J-Maxx
• Stored personal information on, and transmitted it between and within,
in-store and corporate networks in clear text.
• Did not limit wireless access to its networks, allowing an intruder to
connect wirelessly to in-store networks without authorization.
• Did not require network administrators and others to use strong
passwords.
• Failed to limit access among computers and the internet, such as by using
a firewall to isolate card authorization computers.
• Failed to detect and prevent unauthorized access to computer networks
or to conduct security investigations, such as by patching or updating
anti-virus software or following up on security warnings and intrusion
alerts.
75

76. Some Common Remedies
• Injunction against misrepresentations;
• Comprehensive data security or privacy program appropriate to the company’s
size, nature of activities, and information collected;
• Third party assessments of these programs for up to 20 years;
• FTC monitoring of compliance
• Other specific requirements, e.g., disclosures, privacy choices, data deletion, or
software updates; and
• Civil penalties for rule and order violations.
76

77. Best Data Security
Practices for Businesses
77

78. Information Security:
Four Points that Guide the FTC’s Enforcement
• Information security is an ongoing process.
• A company’s security procedures must be reasonable and
appropriate in light of the circumstances.
• A breach does not necessarily show that a company failed to
have reasonable security measures – there is no such thing as
perfect security.
• Practices may be unreasonable and subject to FTC
enforcement even without a known security breach.
78

79. Protecting Personal Information:
A Guide for Businesses
5 key principles:
1. Take stock. Know what personal information you have in your files and on your computers.
Know who has physical and electronic access to your files.
2. Scale down. Keep only what you need for your business.
3. Lock it. Protect the information that you keep.
4. Pitch it. Properly dispose of what you no longer need.
5. Plan ahead. Create a plan to respond to security incidents. Implement a plan to for physical
security, electronic security, employee training and oversight of service providers.
79

80. Prioritizing Computer System Risks
• Check expert consensus lists that identify and offer defenses for the commonly
exploited vulnerabilities that pose the greatest risk of harm to your information
systems.
– The 20 Most Critical Internet Security Vulnerabilities (www.sans.org/top20) Describes
vulnerabilities in Windows and UNIX. Has links to scanning tools and services at
www.sans.org/top20/tools.pdf.
– The 10 Most Critical Web Application Security Vulnerabilities (www.owasp.org) Describes
common vulnerabilities for web apps and databases and the most effective ways to address
them. These vulnerabilities are as important as network issues.
• For more FTC tips, see Security Check: Reducing Risks to Your Computer Systems,
http://business.ftc.gov/documents/bus58-security-check-reducing-risks-your-computer-
systems.
80

81. Protecting Personal Information:
Tips on General Network Security Part 1 of 3
• Identify computers or servers where sensitive personal
information is stored.
• Identify all connections to these computers (e.g., Internet,
electronic cash registers, computers at your branch offices,
computers used by service providers to support your network,
digital copiers, and wireless devices like smartphones, tablets, or
inventory scanners).
• Assess the vulnerability of each connection to commonly known or
reasonably foreseeable attacks.
81

82. Protecting Personal Information:
Tips on General Network Security Part 2 of 3
• Don’t store sensitive consumer data on a computer with an
Internet connection unless it’s essential for your business.
• Encrypt sensitive data that you send to third parties over public
networks (like the Internet), and consider encrypting sensitive
data stored on your network or on portable storage devices.
Consider encrypting emails within your business that contain
personally identifying information.
• Regularly run up-to-date anti-virus and anti-spyware programs
on your network.
82

83. Protecting Personal Information:
Tips on General Network Security Part 3 of 3
• Check expert websites (e.g., www.sans.org) and software vendor
websites regularly, and implement policies for installing vendor-approved
patches.
• Consider restricting employees’ ability to download unauthorized
software.
• Scan computers on your network to identify and profile the
operating system and open network services. Disable services that
you don’t need.
• When you receive or transmit credit card or other sensitive
financial data, use Secure Sockets Layer (SSL) or another secure
connection to protect it in transit.
83

84. Contractors and Service Providers
• Before you outsource a business function (payroll, web hosting, data
processing, etc.) investigate the company’s data security practices and
compare their standards to yours. If possible, visit their facilities.
• Address security issues for the type of data your service providers
handle in your contract with them.
• Insist that your service providers notify you of any security incidents
they experience, even if the incidents may not have led to an actual
compromise of your data.
84

85. Incident Response Plans
• Have a plan to respond to security incidents. Designate a senior staff member to
coordinate and implement the plan.
• If a computer is compromised, disconnect it immediately from your network.
• Investigate security incidents immediately and take steps to close off existing
vulnerabilities or threats to personal information.
• Consider whom to notify in the event of an incident, both inside and outside your
organization. You may need to notify consumers, law enforcement, customers,
credit bureaus, and other businesses that may be affected by the breach. In
addition, many states and the federal bank regulatory agencies have laws or
guidelines addressing data breaches. Consult your attorney.
85

86. Outsourcing
• Businesses subject to U.S. laws that outsource personal
information retain responsibility for ensuring that there are
reasonable procedures in place to safeguard that information.
– This responsibility is the same whether the service
provider is located within the U.S. or offshore.
86

87. Data Brokers and the FTC Report
• FTC issued a report analyzing data from nine data brokers
• Data Brokers Collect Consumer Data from Numerous Sources, Largely Without Consumers’
Knowledge, and Collect and Store Billions of Data Elements on Nearly Every U.S. Consumer
• The Data Broker Industry is Complex, with Multiple Layers of Data Brokers Providing Data to Each
Other
• Data Brokers Combine and Analyze Data About Consumers to Make Inferences About Them,
Including Potentially Sensitive Inferences, and Combine Online and Offline Data to Market to
Consumers Online
• To the Extent Data Brokers Offer Consumers Choices About Their Data, the Choices are Largely
Invisible and Incomplete
87

88. Findings from Data Broker Report
• Data brokers collect consumer data from extensive online and offline sources, largely without consumers’
knowledge, ranging from consumer purchase data, social media activity, warranty registrations, magazine
subscriptions, religious and political affiliations, and other details of consumers’ everyday lives.
• Consumer data often passes through multiple layers of data brokers sharing data with each other. In fact,
seven of the nine data brokers in the Commission study had shared information with another data broker in
the study.
• Data brokers combine online and offline data to market to consumers online.
• Data brokers combine and analyze data about consumers to make inferences about them, including
potentially sensitive inferences such as those related to ethnicity, income, religion, political leanings, age,
and health conditions. Potentially sensitive categories from the study are “Urban Scramble” and “Mobile
Mixers,” both of which include a high concentration of Latinos and African-Americans with low incomes.
The category “Rural Everlasting” includes single men and women over age 66 with “low educational
attainment and low net worths.” Other potentially sensitive categories include health-related topics or
conditions, such as pregnancy, diabetes, and high cholesterol.
88

89. Findings from Data Broker Report
• Many of the purposes for which data brokers collect and use data pose
risks to consumers, such as unanticipated uses of the data. For example, a
category like “Biker Enthusiasts” could be used to offer discounts on
motorcycles to a consumer, but could also be used by an insurance
provider as a sign of risky behavior.
• Some data brokers unnecessarily store data about consumers indefinitely,
which may create security risks.
• To the extent data brokers currently offer consumers choices about their
data, the choices are largely invisible and incomplete.
89

90. 90

91. FTC Guidance
General Information
Visit www.business.ftc.gov for more information
Mobile
Mobile App Developers: Start with Security
http://www.business.ftc.gov/documents/bus83-mobile-app-developers-start-security
Marketing Your Mobile App: Get It Right from the Start
http://www.business.ftc.gov/documents/bus81-marketing-your-mobile-app
Mobile Privacy Disclosures Staff Report: Building Trust Through Transparency
http://www.ftc.gov/os/2013/02/130201mobileprivacyreport.pdf
Children’s Online Privacy Protection Act (COPPA)
COPPA: A Six-Step Compliance Plan for Your Business
http://www.business.ftc.gov/documents/bus84-childrens-online-privacy-protection-rule-six-step-compliance-plan-your-business
Complying with COPPA: Frequently Asked Questions
http://www.business.ftc.gov/documents/Complying-with-COPPA-Frequently-Asked-Questions
91

92. Thank you.
92