Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Monthly Archives: March 2006

Proposed Amendments to DATA Act Approved by Energy and Commerce Committee

Posted in Policy and Regulatory Positioning

Posted by Teena Lee On March 23, 2006, the House Energy and Commerce Committee announced that it reached a bipartisan agreement on the Data Accountability and Trust Act (DATA), H.R. 4127. The amendments appear to address a couple of the concerns raised by various consumer advocacy groups to the original bill. As reported here previously, objectors complained the Act left the target of a security breach too much discretion to determine whether notification should be made and failed to allow parties other than the FTC enforcement powers. The “manager’s amendment” appears to try to address those concerns and changes the threshold for consumer notification from a “significant risk of identity theft” to a “reasonable risk of identity theft to the individual to whom the personal information relates, fraud or other unlawful conduct” and provides enforcement powers to state attorneys general, in addition to the FTC.... Continue Reading

FTC Announces “Largest Civil Penalty Yet” for Illegal Spam Under CAN-SPAM Act

Posted in Marketing and Consumer Privacy

Posted by Ronald London

The Federal Trade Commission announced that it has entered a consent decree with Jumpstart Technologies requiring it to pay a $900,000 civil penalty for violating the CAN-SPAM Act by sending “disguised” and misleading commercial emails, or “spam.” The payment is the largest penalty ever for illegal spam, according the FTC. The consent decree also permanently prohibits Jumpstart from engaging in future practices prohibited by the CAN-SPAM and FTC Acts.... Continue Reading

Steinbuch v. Cutler: When is a Personal Blog Considered Publicity?

Posted in Communications/Media

Posted by Bruce Johnson

The word “gossip” comes from a Middle English word meaning kinsman or family member. Thus, several hundred years ago, a “god sib” (the word “sib” is still preserved in our language as “sibling” ) was similar to a Godparent. The composition of the word itself, and its evolution, acknowledges how chatty we are among those we know.

What happens when gossip goes beyond the kinship group, or beyond a group of friends – and ends up on the World Wide Web?

The strict legal question, to be decided by a federal court in Washington, D.C., in the next week or so is: Can a blogger’s blow-by-blow description of consensual sex give rise to an invasion of privacy claim, given that her partner also shared in the office discussions about those activities?... Continue Reading

And While We’re on the Subject of Cars….

Posted in Cyber and National Security

Posted by Lance Koonce

There has been a recent spate of thefts of laptops from parked cars, and in particular rental cars parked close to restaurants known to be frequented by business executives. The most prominent of these thefts was of a computer that held sensitive information about nearly 200,000 Hewlett Packard employees. reports that this problem has become so significant around Silicon Valley that “a dozen law enforcement agencies, including local police departments, the FBI and U.S. Customs Department, met to discuss the issue.”... Continue Reading

Internet Scams Target Car Buyers and Sellers

Posted in Technology

Posted by Brian Bennett

Experts say that scam artists are targeting just about every internet web site for automobile sales. Warning signs that consumers should watch out for are:

1) the seller or buyer won’t provide contact information, or the information doesn’t check out;

2) the transaction involves a money wire or illegitimate escrow account; or

3) the deal sounds too good to be true.

Perhaps most important to keep in mind is that once you have given your account information, your money is gone.... Continue Reading

House Data Breach Bill, H.R. 3997, Is Unbalanced and Flawed

Posted in Policy and Regulatory Positioning

Posted by Randy Gainer

Many businesses favor a federal data breach law. Businesses need to respond to the perception among consumers that, if consumers provide sensitive private data to businesses, the data are at risk of being misused for fraud and identity theft. That perception has apparently contributed to a decrease in the number of consumers who are willing to provide their information, for example, to on-line businesses.

There are currently more than 20 state laws that require consumers to be notified when sensitive data are disclosed. They include several different standards for when such notices must be sent. This generally requires businesses with consumers from multiple states to apply the most restrictive standard, which is to notify consumers when there is any unauthorized disclosure. Many business officials would like to see a uniform national standard regarding the circumstances in which they must notify consumers. Because notifying consumers is expensive, may trigger class action lawsuits against a business, and causes harm to businesses’ reputations and goodwill, many businesses a favor a notification standard that requires that consumers be notified only when consumers are likely to be exposed to fraud or identity theft as a result of a data breach.... Continue Reading

IRS Proposes Changes That Would Allow Accountants To Sell Tax Return Information

Posted in Marketing and Consumer Privacy

Posted by Kraig Baker

The IRS has changed a rule that permits tax-return preparers to sell information from individual returns to marketers and data brokers. The proposed rules do require that taxpayers “opt-in” before the tax information could be sold. Does anyone really believe that it will be difficult to get taxpayers to “opt in?” Not only to most taxpayers sign whatever their tax preparers put in front of them, but the slippery recent history of certain large commercial tax preparers suggest that it won’t be difficult to get such opt-in consent. I expect that there will be a firestorm about these changes and that the IRS will back away from this change in the next month or so. Full story here.... Continue Reading

The Risks of Using Service Providers to Store Confidential Information

Posted in Litigation, Policy and Regulatory Positioning

Posted by Kraig Baker

Declan McCullagh reports that the FTC issued a subpoena to Google for all contents of a user’s Gmail account, including deleted e-mails. The subpoena relates to a fraud claim. As more and more small businesses and independent contractors choose to use Google products to save money and to facilitate portability, few of them are thinking about the privacy and security implications of turning over control of these materials to Google — who may have markedly different interests when responding to the government or a party in litigation. It seems inevitable that we will continue to see subpoenas for not only search results and web-surfing results — issues where the user is using a third party provider to facilitate the use and, therefore, seems potentially public — but also for e-mail and stored files which feel different in kind to most people and, therefore, for which users will have a higher expectation of privacy.... Continue Reading

Judge’s Decision on DOJ’s Google Subpoena Imminent

Posted in Marketing and Consumer Privacy, Surveillance

Posted by Thomas R. Burke

Still no final word from the court on yesterday’s showdown between Google and the Justice Department — although an order will likely come out this week — but U.S. District Judge James Ware appears to appreciate the concern that the federal government’s subpoena request smacks of surveillance. Delcan McCullagh’s account of the contested hearing notes that the judge, based in San Jose, is reluctant to give “everything it wanted because of the ‘perception by the public that this is subject to government scrutiny’ when they type search terms into” Discovery battles are notoriously resolved by “splitting the baby” — both sides are sent home with something, but far less than they wanted. This however, is not your typical discovery battle. It will be interesting to watch if Google will appeal Ware’s decision. Ironically, Google’s decision to continue this battle in the Ninth Circuit Court of Appeals will largely depend too on whether the company is comfortable with the public’s perception of what search information — from now on — will be accessible by the federal government.... Continue Reading

Chinese Bank Network Involved in New Phishing Tactic

Posted in Technology

Posted by Peter Mucklestone and Stuart Louie

As recently reported by Gregg Keizer at TechWeb News, Netcraft, a U.K.-based internet monitoring company recently uncovered the unauthorized use of China Construction Bank Corp.’s servers by online criminals to host “spoofed sites” in order to dupe customers of American banks and online retailers. China Construction Bank Corp. is one of China’s “Big Four” state-owned banks with more than 14,200 branches across China.... Continue Reading

While Congress Mulls Over the DATA Act, Customers’ Personal Information Remain at Risk

Posted in Policy and Regulatory Positioning

Posted by Teena Lee

On October 25, 2005, Representative Cliff Stearns (R-Fla.), introduced Bill H.R. 4127 in the House of Representatives, the Data Accountability and Trust Act (DATA). Purportedly in response to the ChoicePoint and LexisNexis breaches and failures of security, the Act, in brief, charges the FTC to promulgate regulations requiring persons engaged in interstate commerce that own or possess data containing personal information in electronic form to establish and implement information security policies and procedures concerning the treatment and protection of personal information. Notably, the bill would preempt state information security laws. On November 3, 2005, the DATA Act was approved on a vote of 13-8 by the Energy and Commerce Committee’s Subcomittee on Commerce, Trade and Consumer Protection, and has been forwarded to the full Energy and Commerce Committee, where it presently sits.... Continue Reading

FTC Retains Children’s Online Privacy Protection (COPPA) Rule

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Posted by Peerapong Tantamjarik On March 8, 2006, the Federal Trade Commission announced that it decided to retain, without changes, the regulations implementing COPPA, a federal law enacted in 1998 to better protect children’s personal information on the web. Generally, COPPA applies to operators of websites and online services directed to children under 13 years of age that also collect personal information from children. COPPA requires such operators to adhere to a clear set of standards such as posting a privacy policy and a link to the policy everywhere personal information is collected; provide notice to parents and in most instances, obtain verifiable parental consent before collecting any child’s personal information; provide parents access to their child’s information and control over deletion of the information; and maintain the confidentiality, security, and integrity of the personal information collected from children.... Continue Reading

Whither California’s Strict New “Junk Fax” Law?

Posted in Policy and Regulatory Positioning

Posted by Ronald G. London A federal court judge in Sacramento has issued a declaratory ruling that the federal Telephone Consumer Protection Act (“TCPA”) preempts a new California law, slated to take effect the first of this year, to impose stricter regulations on unsolicited advertisements via facsimile by trumping an exception for faxes sent pursuant to an established business relationship (“EBR”) codified by Congress in last year’s Junk Fax Prevention Act. The decision renders new Section 17538.43 of California’s Business and Professions Code – which has never taken effect due to a provisional stay the court issued late last year – effectively unenforceable against interstate commercial faxes sent into California from outside the state. It also throws into doubt the law’s remaining vitality with respect to intrastate faxes.... Continue Reading

Senate Intelligence Committee Votes Against NSA Probe

Posted in Cyber and National Security, Surveillance

Posted by Randy Gainer

The Senate Intelligence Committee voted today not to investigate the NSA domestic spying program. The Republican majority on the Committee instead is backing a bill that would retroactively authorize the NSA to conduct the types of domestic electronic surveillance the NSA has been conducting since at least 2001. The bill, termed the Terrorist Surveillance Act of 2006, would reportedly permit the NSA to conduct surveillance without a warrant for 45 before justifying the wiretapping to any court. The Senate Committee’s refusal to investigate the Bush Administration’s decision to ignore the Foreign Intelligence Surveillance Act (“FISA”) means that it is up to the courts to enforce FISA and constitutional principles, such as separation of powers principles, and First and Fourth Amendment rights.... Continue Reading

Electronic Health Records

Posted in Healthcare

Posted by Brian Bennett

The Chairperson of the House Federal Workforce subcommittee, Jon C. Porter, is proposing legislation to promote the use of electronic health records in the federal employee health insurance program. Health information technology is viewed by many health professionals as an important step towards the availability of accurate and complete patient information, and ultimately cost-effective treatment of patients. Privacy advocates are concerned about threats to patient privacy posed by a national electronic health records system. Congressman Porter says that he would expect electronic medical records to be at least as safe as transactions involving financial information, which may not be much comfort to federal employees given the spate of recent data breaches.... Continue Reading

The NY Times Sues the Department of Defense

Posted in Cyber and National Security

Posted by Steve Chung

The New York Times has sued the U.S. Department of Defense for its failure to disclose documents regarding the National Security Agency’s domestic spying program. After the Times broke the story in December that the NSA had been intercepting domestic communications that were suspected to be linked with al Qaeda, it made a request for documents under the Freedom of Information Act. The Times sought a broad range of documents including all internal memorandum and emails about the program of monitoring phone calls without court approval, as well as the names of people or groups targed under the program. Dissatisfied with the lack of response from the Pentagon, the Times filed suit against the Department of Defense, as the parent agency of the NSA, asserting that the Pentagon failed to assert that any unusual circumstances would justify extra time to respond.... Continue Reading

NY Times Keylogger Article

Posted in Cyber and National Security

Posted by Kraig Baker

The New York Times had a prominent article this week about how, now that most of us are inured to the risks of phishing, sophisticated identity thieves are using “keyloggers.” As readers of this blog probably already know, keyloggers are pieces of hardware or software programs that log each keystroke that a user inputs into his or her computer — including passwords. Keyloggers aren’t new — there are cases in California and Florida addressing the use of keyloggers — but their wide use as part of software programs and the corresponding wide distribution is the next escalation in the identity theft battle and will extend the risks of keylogging to a much larger segment.... Continue Reading

Wait, That’s Not an Airsickness Bag….

Posted in Cyber and National Security

Posted by Kraig Baker

The Consumerist writes today about how a McAfee employee (yes, the McAfee involved in making security software) left a CD-ROM disk containing confidential employee data in the pocket of his airplane seat. It’s always striking to me how people view their airplane (and train and bus) seats as private space. Many people who would never treat information insecurely in other situations seem to forget these habits when on airplanes. People conduct confidential business discussions with the person next to them, work on confidential documents on laptops with screens visible to passengers around them, and throw away confidential documents with used newspapers and magazines. Everyone is now concerned about the loss of decorum and flight rage that is going to arise from approving the use of mobile telephones on airplanes. As irritating as the use of mobile phones are airplanes will be, think of the concomitant loss of confidential information.... Continue Reading

Panelists Discuss Privacy of Personal Information and Provide Tips on Defending Against Security Breaches

Posted in Cyber and National Security

Posted by Peerapong Tantamjarik

This morning, I dialed in to a brown bag discussion teleconference sponsored by the American Bar Association Section of Antitrust Law’s Computer & Internet Committee, Consumer Protection Committee, held in Washington D.C. The topic of the presentation concerned Information Privacy in the Digital Age. A copy of the flyer can be found here.

The teleconference involved panelists from private law firms, the FTC, and the Chief Compliance and Privacy Officer from ChoicePoint, Inc. It highlighted the ever-increasing attention paid by regulators on data security breaches of personal information and provided an opportunity for the panelists to share their thoughts on ways to improve compliance and how to respond to such breaches. From a chronology of recent privacy breaches, it is clear that victims of hackers run the gamut from private corporations to public agencies.... Continue Reading

Let the Patriot Games Continue!

Posted in Cyber and National Security

Posted by Merrill Baumann

On Tuesday the Senate voted 69-30 to end debate on proposed changes to the USA Patriot Act, moving the controversial act closer to renewal. The final compromise points included provisions limiting the power of the FBI to demand records (including Internet usage) from libraries only in instances where terrorist usage is suspected.

But opponents assure that the Act will continue to be used in cases not involving terrorism. A federal judge in Florida, for example, recently concluded that nationwide search warrants obtained under Section 220 of the Patriot Act permitted federal prosecutors to obtain nationwide search warrants naming ISPs in California in a case involving a local child pornography case. Critics further point out that ISPs will be less likely to contest such warrants due to the cost of litigation outside of its local jurisdiction — even if the warrant is deficient.... Continue Reading