Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Policy and Regulatory Positioning

Subscribe to Policy and Regulatory Positioning RSS Feed

Consumer Privacy Legislation? All Sides Weigh In But Remain Far Apart in the Big Debate Over Big Data

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

Recent comments filed by various stakeholders in response to the U.S. Commerce Department’s National Telecommunications and Information Administration’s (NTIA) Request for Public Comment (RFC) on “Big Data and Consumer Privacy in the Internet Economy,” evidence a wide rift between consumer groups and most business interests regarding the need for additional consumer privacy law in the era of Big Data. NTIA issued its RFC back in June, in response to a recommendation in the May 1 White House report, “Big Data: Seizing Opportunities, Preserving Values” (hereinafter “Big Data Report”), which addressed how big data is transforming the lives of Americans.

In the Big Data Report, the White House recommended (among other things) that:

[t]he Department of Commerce should promptly seek public comment on how the Consumer Privacy Bill of Rights (“CPBR”) could support the innovations of big data while at the same time responding to its risks, and how a responsible use framework . . . could be embraced within the framework established by the [CPRB”]. Following the comment process, the Department of Commerce should work on draft legislative text for consideration by stakeholders and submission by the President to Congress.

The Consumer Privacy Bill of Rights and Big ... Continue Reading

FTC Undertakes Periodic Rule Review of Telemarketing Sales Rule

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

The Federal Trade Commission (FTC) has published in the Federal Register a Request for Comments on all aspects of its Telemarketing Sales Rule (TSR) as part of a routine review of the effectiveness, costs and benefits of its rules. Though the Request for Comments targets several TSR issues in particular (discussed below), it views the review as assessing generally whether the Rule is serving a “useful purpose,” and whether it can be improved to reflect changes in the marketplace since it was previously amended in 2003, 2008 and 2010. Comments are due October 14, 2014.

The Request for Comments does not itself propose specific changes to the TSR but rather invites input on several specific topics, as well as on any issues relevant to the TSR that commenters wish to address. Notably, the advent of the National Do-Not-Call Registry culminating in 2003 started as precisely this kind of “routine” review of the TSR. Here, the FTC specifically seeks comment on issues surrounding:

• Whether there is a need to expand the TSR’s recordkeeping requirements;

• The use of pre-acquired account information, i.e., that which a customer has previously provided to a seller or telemarketer to subsequently charge his or her ... Continue Reading

Pass or Fail? Sens. Markey and Hatch Introduce “Protecting Student Privacy Act” Seeking to Amend FERPA, Increase Protection of Student PII Shared with Private Companies

Posted in Data Protection, Policy and Regulatory Positioning

On July 30, 2014, Sen. Edward J. Markey, D-Mass., made good on his earlier promise to beef up the Family Educational Rights and Privacy Act of 1974 (FERPA) to provide heightened protections for student educational records shared with private companies.

Together with Sen. Orrin Hatch, R-Utah, Markey introduced the “Protecting Student Privacy Act” (S.2690), which would amend FERPA and require schools and school districts to implement various data security protections to safeguard the personally identifiable information (PII) contained in students’ education records, and ties receipt of federal education funding to compliance with the Act’s heightened security standards.

Among the bill’s provisions, the Protecting Student Privacy Act:

  • Requires schools and school districts to protect students’ personally identifiable information (PII) contained in education records maintained by the institution;
  • Prohibits schools and school districts from using, releasing, or providing access to student PII in education records for advertising or marketing services or products;
  • Provides parents with a right to access their children’s PII and challenge, correct, or delete any inaccurate data in the education records held by private companies;
  • Mandates that outside parties such as private companies with whom students’ PII is shared have comprehensive information security policies and procedures in place to
  • ... Continue Reading

“Getting to Know You, Getting to Know All About You…” FTC Data Brokers Report Calls for More Industry Transparency, Regulation in How Data Brokers Use Consumers’ Personal Information

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

“You may not know them, but data brokers know you,” Federal Trade Commission (FTC) Chairwoman Edith Ramirez said when she announced the release of the Commission’s newest report on the data broker industry. And in the FTC’s opinion, Congress and the data brokerage industry need to take concerted action to bring transparency to the industry, protect consumers’ personally identifiable information (PII), and prevent abuse and discrimination. But will the FTC’s recommendations have any real effect? In light of recent statements about “actual” vs. “potential” harm and the expanding scope of the Agency’s Section 5 enforcement authority, the answer is a definite “maybe.”

Summary
On May 27, 2014, the FTC released “Data Brokers: A Call for Transparency and Accountability,” a report that marks the conclusion of the FTC’s two-year study into data broker industry practices. Coming on the heels of the White House’s own Big Data Report the FTC’s Data Brokers Report highlights that “[i]n today’s economy, Big Data is big business” with numerous positive effects for both companies and consumers. And data brokers specifically play an important role in driving our economy through increased targeted marketing, identity verification and fraud detection.

But the Data Brokers Report also rang ... Continue Reading

FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA–But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again.... Continue Reading

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming…

Has Congress really given the FTC Authority?
As we all know by now, the court rejected Wyndham’s arguments that the FTC’s Section 5 authority does not permit the Commission to create data-security standards for the private sector and enforce them under the “unfairness” prong of section 5. However, Judge Salas’ opinion lacks both an appreciation of the history of the FTC’s unfairness authority and any real analysis of whether this was an issue of ... Continue Reading

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.

Not the Final Word
As noted in our April 9, 2014 post, it is important to keep in mind what this decision is not. It was not reached by a federal appeals court panel, but by a single federal district court judge, and it only denied a motion to dismiss the FTC’s complaint. The scope of the FTC’s authority under Section 5 may well be challenged in other district courts, and it is at least possible that Wyndham might ask the district court here to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power (and in any event, the holding ... Continue Reading

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).

With the April 7, 2014 decision of Judge Esther Salas of the District Court of New Jersey in FTC v. Wyndham Worldwide Corp., that elephant has left its hiding place, and has exploded the mousehole in the process. Most notably, Judge Salas held that the FTC’s authority under the “unfairness” prong of Section 5 of the statute, includes the power to prosecute stand-alone cases where a company is alleged generally to have “fail[ed] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”

In reaching its decision, the Court provided little additional guidance for companies as to what “reasonable” data security means, and—by rejecting defendant’s “fair notice” argument—would not require the FTC to promulgate rules and regulations in advance of enforcement actions, preferring ... Continue Reading

Updated Location Privacy Protection Act Introduced

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning, Surveillance

On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.

Under the proposed legislation, companies collecting geolocation data from more than 1,000 devices in ... Continue Reading

Google “Street View” case may be headed for SCOTUS Review

Posted in Communications/Media, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014... Continue Reading.

Caution: Your Company’s Biggest Privacy Threat is…the FTC

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Sanjay Nangia... Continue Reading

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading

Latest FTC Enforcement Action Reflects Agency’s Intent to Focus on Emerging Market Involving the “Internet of Things”

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By K.C. Halm

In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.

The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.

But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.... Continue Reading

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Posted in Financial Services, Global, Policy and Regulatory Positioning

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.... Continue Reading

NIST Issues Draft RFI for Cybersecurity Framework

Posted in Policy and Regulatory Positioning

By Robert G. Scott, Jr.

Following up on the President’s February 12, 2013 Executive Order on Cybersecurity and the related Presidential Policy Directive, discussed in our last blog entry, the National Institute of Standards and Technology (NIST) has issued a draft Request For Information (RFI) to kick off the public input process as mandated by the Executive Order. The RFI seeks information on current cybersecurity risk management practices of private organizations–including standards, guidelines, and best practices–in the various sectors, including communications, information technology, health, financial services, energy, water, and others that implicate critical infrastructure.... Continue Reading

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.... Continue Reading

Internet Privacy Class Actions

Posted in Cyber and National Security, Global, Litigation, Policy and Regulatory Positioning

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Websites and social media provide search engines, website operators, and advertisers powerful ways to obtain and monetize data about users. Jimmy Nguyen explores how this power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010 and a wave of class action lawsuits. To read more, click here.... Continue Reading

An Advertising Perspective on the Kerry-McCain and Stearns-Matheson Privacy Bills

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Paul Glist

Last week, Sens. John Kerry and John McCain and Reps. Cliff Stearns and Jim Matheson offered new privacy bills. The Kerry-McCain Senate bill and the Stearns-Matheson House bill each seeks to apply a common set of fair information practices on virtually all businesses, online and offline, that collect information about consumers or consumer behavior. For the moment, both bills are directed to commercial and non-profit organizations (such as many online businesses) that are currently not under privacy regulation.... Continue Reading

Reps. Sterns and Matheson Introduce Consumer Privacy Protection Act

Posted in Policy and Regulatory Positioning

One day after Senators Kerry and McCain introduced their Commercial Privacy Bill of Rights Act of 2011, Representatives Cliff Sterns and Jim Matheson introduced a new bill, the Consumer Privacy Protection Act of 2011 that, unlike Kerry-McCain (or California’s proposed Do Not Track Me Online Act), focuses on personally identifiable information (PII), without addressing behaviorally targeted advertising. Nonetheless, it does propose new legal obligations for commercial and non-profit entities that collect, sell, use, or disclose PII of more than 5,000 consumers during any consecutive twelve-month period.

Some of the bill’s requirements, for many covered entities, may sound like old hat. For example, they would have to establish clear and readily available privacy policies governing their collection, sale, and disclosure of PII, and follow other requirements that have become conventional in bills oriented towards the Federal Trade Commission’s Fair Information Practice Principles (FIPP) (for more on the principles, see the FTC principles, here. But the bill’s requirements do invite participation in self-regulatory safe harbor programs.  Covered entities create a presumption of compliance if they create and maintain a self-regulatory program that is approved by the FTC. Once approved, programs would have five-year terms. The regulatory program would have to contain a process ... Continue Reading

FTC “Reminder” About ID Theft Red Flag Compliance

Posted in Data Protection, Policy and Regulatory Positioning

Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November  2008 compliance deadline.  The FTC’s notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.... Continue Reading

Some State Data Encryption Requirements More Effective than Others

Posted in Policy and Regulatory Positioning

Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.... Continue Reading

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted in Cyber and National Security, Data Protection, Financial Services, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC’s view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers’ credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.... Continue Reading

California Breach Disclosure Law Now Covers Medical Records

Posted in Cyber and National Security, Healthcare, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California’s data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of “personal information” and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.... Continue Reading