Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Policy and Regulatory Positioning

Subscribe to Policy and Regulatory Positioning RSS Feed

“Getting to Know You, Getting to Know All About You…” FTC Data Brokers Report Calls for More Industry Transparency, Regulation in How Data Brokers Use Consumers’ Personal Information

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

“You may not know them, but data brokers know you,” Federal Trade Commission (FTC) Chairwoman Edith Ramirez said when she announced the release of the Commission’s newest report on the data broker industry. And in the FTC’s opinion, Congress and the data brokerage industry need to take concerted action to bring transparency to the industry, protect consumers’ personally identifiable information (PII), and prevent abuse and discrimination. But will the FTC’s recommendations have any real effect? In light of recent statements about “actual” vs. “potential” harm and the expanding scope of the Agency’s Section 5 enforcement authority, the answer is a definite “maybe.”

Summary
On May 27, 2014, the FTC released “Data Brokers: A Call for Transparency and Accountability,” a report that marks the conclusion of the FTC’s two-year study into data broker industry practices. Coming on the heels of the White House’s own Big Data Report the FTC’s Data Brokers Report highlights that “[i]n today’s economy, Big Data is big business” with numerous positive effects for both companies and consumers. And data brokers specifically play an important role in driving our economy through increased targeted marketing, identity verification and fraud detection.

But the Data Brokers Report also rang ... Continue Reading

FCC Reinforces that Those Who Knowingly Release Cell Numbers Grant Permission to be Called Under the TCPA–But Companies May Still Be Required to be Sure They Get the Number Directly from the Person to be Called

Posted in Communications/Media, Marketing and Consumer Privacy, Policy and Regulatory Positioning

We recently reported on two FCC declaratory rulings interpreting the Telephone Consumer Protection Act (TCPA), in the context of social-network text messages and package-delivery calls, that included broad, business-friendly statements that should help clarify TCPA rules for prior express consent to autodial, prerecorded-call and text cell phones. We noted that in one ruling, the FCC in some respects revived  a position staked out in 1992, in originally implementing the TCPA, that “persons who knowingly release their [cell] phone numbers have … given their invitation or permission to be called” there, an allowance whose viability had become less clear as TCPA precedent evolved. Shortly after the declaratory rulings, we also advised on the Eleventh Circuit’s Osorio v. State Farm decision, which increased the number of states in which the TCPA is interpreted as imposing strict liability on those who direct automated and/or prerecorded calls to cell phones under a mistaken belief they have prior express consent to do so. Now another case extends the Osorio analysis to potentially up the ante again.... Continue Reading

Part III: Has Congress Spoken and Does It Really Matter? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In the first and second parts of this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp. and then focused on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable. Today, we take a slightly different view of the FTC’s Section 5 history and revisit whether Brown v. Williamson actually supports the position that Congress has granted the Commission the authority to regulate data security under Section 5. But in the end, such analysis may not matter—the FTC is not the sole source of data security responsibilities for “unregulated” industries and one way or another, data security accountability is coming…

Has Congress really given the FTC Authority?
As we all know by now, the court rejected Wyndham’s arguments that the FTC’s Section 5 authority does not permit the Commission to create data-security standards for the private sector and enforce them under the “unfairness” prong of section 5. However, Judge Salas’ opinion lacks both an appreciation of the history of the FTC’s unfairness authority and any real analysis of whether this was an issue of ... Continue Reading

Part II: Fair Notice or No Notice? The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In our first blog in this series, we provided a summary of the District Court of New Jersey’s recent decision in FTC v. Wyndham Worldwide Corp., in which Judge Salas confirmed the FTC’s authority to bring enforcement actions to redress deficient corporate data security practices, even in the absence of formal rules or regulations setting forth what practices are unreasonable. Today we begin to explore the ramifications of that ruling, focusing on whether the FTC has given “fair notice” to companies of the data security standards to which they will be held accountable.

Not the Final Word
As noted in our April 9, 2014 post, it is important to keep in mind what this decision is not. It was not reached by a federal appeals court panel, but by a single federal district court judge, and it only denied a motion to dismiss the FTC’s complaint. The scope of the FTC’s authority under Section 5 may well be challenged in other district courts, and it is at least possible that Wyndham might ask the district court here to certify an interlocutory appeal to the Third Circuit on the scope of the FTC’s power (and in any event, the holding ... Continue Reading

Part I: The Elephant Emerges From the Mousehole: The Wyndham Worldwide Case and the Expanding Power of the FTC to Police Data Security

Posted in Litigation, Policy and Regulatory Positioning

In support of its motion to dismiss the FTC’s complaint alleging data security deficiencies in violation of Section 5 of the FTC Act, Wyndham Worldwide Corporation cited the Supreme Court’s opinion in Whitman v. American Trucking Ass’ns, which cautioned against agencies utilizing vague statutory provisions to alter “fundamental details of a regulatory scheme”, and colorfully stating that “[Congress] does not, one might say, hide elephants in mouseholes.” See 531 U.S. 457, 468 (2001).

With the April 7, 2014 decision of Judge Esther Salas of the District Court of New Jersey in FTC v. Wyndham Worldwide Corp., that elephant has left its hiding place, and has exploded the mousehole in the process. Most notably, Judge Salas held that the FTC’s authority under the “unfairness” prong of Section 5 of the statute, includes the power to prosecute stand-alone cases where a company is alleged generally to have “fail[ed] to maintain reasonable and appropriate data security for consumers’ sensitive personal information.”

In reaching its decision, the Court provided little additional guidance for companies as to what “reasonable” data security means, and—by rejecting defendant’s “fair notice” argument—would not require the FTC to promulgate rules and regulations in advance of enforcement actions, preferring ... Continue Reading

Updated Location Privacy Protection Act Introduced

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning, Surveillance

On March 27, 2014, Senator Al Franken (D.-Minn.) introduced the Location Privacy Protection Act of 2014, a bill that addresses so-called “stalking apps.” While Senator Franken’s intent is to target those apps designed to maliciously track individuals without their knowledge, the legislation (an updated version of a bill we discussed three years ago) would require all companies to get users’ permission before collecting and sharing location data from smartphones, tablets, and in-car navigation devices. To obtain consent, entities subject to the law (if passed) would have to provide “clear, prominent, and accurate notice” that tells the user that his or her geolocation information will be collected. The notice must also identify the categories of entities to which the geolocation information may be disclosed, and provide a link or some other easy means for users to access publicly available information about the geolocation data to be collected. The bill includes several exceptions to the consent requirement, allowing the collection or use of geolocation data without the requisite notice and consent for purposes such as allowing parents to locate children, and enabling the provision of emergency services.

Under the proposed legislation, companies collecting geolocation data from more than 1,000 devices in ... Continue Reading

Google “Street View” case may be headed for SCOTUS Review

Posted in Communications/Media, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By John D. Seiver

Google held true to its promise to seek SCOTUS review of the Ninth Circuit’s interpretation of the term “radio communications” in the Wiretap Act when it filed its Petition for Certiorari last week. Google had argued in the Ninth Circuit that intercepting unencrypted Wi-Fi transmissions is within a specific exemption, but the Ninth Circuit (initially and on rehearing) held instead that unencrypted Wi-Fi is protected from interception by the Wiretap Act. Absent an extension, oppositions are due April 30, 2014... Continue Reading.

Caution: Your Company’s Biggest Privacy Threat is…the FTC

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Sanjay Nangia... Continue Reading

Technology companies—from startups to megacorporations—should not overlook an old privacy foe: the Federal Trade Commission (FTC). Since its inception in 2002, the FTC’s data security program has significantly picked up steam. In the last two years, the FTC has made headlines for its hefty privacy-related fines against Google and photo-sharing social network, Path. In January 2014 alone, the agency settled with a whopping 15 companies for privacy violations. What is more, many of these companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.

California Bill Would Create Cyber Security Commission

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

In recognition of the increasing threat that cyber-attacks pose to the state’s infrastructure and the considerable costs that government and private sectors are estimated to spend on cyber security (more than $70 billion estimated to be spent in 2014 nationally), Assembly Speaker John Perez has introduced a bill to establish a “Cyber Security Commission.”

The bill (AB 2200), if passed, would authorize the proposed commission to develop public-private partnerships to share cyber security and cyber threat information and to improve cyber security and cyber response strategies. The commission is required to meet monthly and submit quarterly reports to the Governor’s Office and Legislature on the status and progress of cyber security efforts.

The commission would be comprised of a wide range of representatives from the Legislature, private industry, state, local, and federal government, including the following or their designees who have knowledge in information technology and information security: the California Director of Technology, the Chief of the California Office of Information Security, the President of the California Public Utilities Commission, representatives from the state universities, private sectors (retail, finance, utilities, healthcare or technology), the FBI, and the federal Department of Justice. Among other things, AB 2200 requires the Cyber Security ... Continue Reading

California AG Weighs in on Cybersecurity

Posted in Cyber and National Security, Policy and Regulatory Positioning

Just as NIST completes its version 1.0 national Framework for Improving Critical Infrastructure Cybersecurity, California Attorney General Kamala Harris has made clear she intends a leadership role for California. With a guide called “Cybersecurity in the Golden State: How California Businesses Can Protect Against and Respond to Malware, Data Breaches and Other Cyberincidents,” the AG offers a simplified, brief, and plain English version of cybersecurity protections directed toward small and medium size California businesses that likely lack the resources to hire full-time cybersecurity personnel. The Guide’s “Practical Steps to Minimize Cyber Vulnerabilities” are based on acknowledged deficiencies in the devices, websites, and apps at the network’s edge, and on the need for users and businesses to discipline their behavior and increase their vigilance against threats. The best practices outlined in the Guide are not unique to small or medium size businesses and overlap to a large extent NIST’s perspective on threats and cyber recommendations from many sources. The NIST Framework provides greater detail and is more explicit in the latitude it provides for business judgments about the proportionality of precautions with respect to the specific risks. Both the California Guide and NIST Framework seek to ... Continue Reading

Latest FTC Enforcement Action Reflects Agency’s Intent to Focus on Emerging Market Involving the “Internet of Things”

Posted in Data Protection, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By K.C. Halm

In its first enforcement action against a company operating in the emerging market known as the “Internet of Things”, the FTC has secured a settlement agreement with a company that markets Internet-connected video cameras designed to allow consumers to remotely monitor their homes.

The increasing connectivity of consumer devices, such as cars, appliances, and medical devices, and the capability for these devices to communicate with other such devices, is commonly referred to as the Internet of Things. Many of the devices connected through the Internet of Things have the capability to communicate with consumers, transmit data back to companies, and compile data for third parties such as researchers, health care providers, or even other consumers, who can measure how their product usage compares with that of their neighbors.

But the benefits of such connectivity also present potential privacy and security risks, as the FTC’s latest action illustrates.... Continue Reading

Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail

Posted in Financial Services, Global, Policy and Regulatory Positioning

On April 16, 2013, DWT lawyers James Mann and Ronnie London presented on the topic of “Dealing with Networks and Regulatory Compliance: The Legal Side of Mobile Retail” at the RAMP Advanced Commerce and Mobile Retail Services Summit in Chicago.

The presentation focused primarily on two topics:

  • Why the Networks Are Here to Stay (and Some Suggestions for Dealing with Them)
  • Update on Mobile Regulatory Issues

To view the full presentation, click here.... Continue Reading

NIST Issues Draft RFI for Cybersecurity Framework

Posted in Policy and Regulatory Positioning

By Robert G. Scott, Jr.

Following up on the President’s February 12, 2013 Executive Order on Cybersecurity and the related Presidential Policy Directive, discussed in our last blog entry, the National Institute of Standards and Technology (NIST) has issued a draft Request For Information (RFI) to kick off the public input process as mandated by the Executive Order. The RFI seeks information on current cybersecurity risk management practices of private organizations–including standards, guidelines, and best practices–in the various sectors, including communications, information technology, health, financial services, energy, water, and others that implicate critical infrastructure.... Continue Reading

Executive Order and Policy Directive Promotes Cybersecurity Cooperation and Intelligence Sharing

Posted in Cyber and National Security, Data Protection, Policy and Regulatory Positioning

By Robert G. Scott, Jr.

On February 12, 2012, President Obama signed an Executive Order as well as a complementary Presidential Policy Directive intended to improve the flow of information and cyber-threat intelligence between government agencies and the private sector, and to improve the security of the nation’s critical infrastructure.  The policies and requirements in these documents outline an ever-increasing role for owners and operators of critical infrastructure in resisting cyber threats.... Continue Reading

Internet Privacy Class Actions

Posted in Cyber and National Security, Global, Litigation, Policy and Regulatory Positioning

In today’s cyberworld, operating in online and social media can put companies in a special class. Unfortunately, that class could mean a class action lawsuit. Websites and social media provide search engines, website operators, and advertisers powerful ways to obtain and monetize data about users. Jimmy Nguyen explores how this power has triggered public and governmental concern about consumers’ online privacy, even leading to a Wall Street Journal investigative report in August 2010 and a wave of class action lawsuits. To read more, click here.... Continue Reading

An Advertising Perspective on the Kerry-McCain and Stearns-Matheson Privacy Bills

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Paul Glist

Last week, Sens. John Kerry and John McCain and Reps. Cliff Stearns and Jim Matheson offered new privacy bills. The Kerry-McCain Senate bill and the Stearns-Matheson House bill each seeks to apply a common set of fair information practices on virtually all businesses, online and offline, that collect information about consumers or consumer behavior. For the moment, both bills are directed to commercial and non-profit organizations (such as many online businesses) that are currently not under privacy regulation.... Continue Reading

Reps. Sterns and Matheson Introduce Consumer Privacy Protection Act

Posted in Policy and Regulatory Positioning

One day after Senators Kerry and McCain introduced their Commercial Privacy Bill of Rights Act of 2011, Representatives Cliff Sterns and Jim Matheson introduced a new bill, the Consumer Privacy Protection Act of 2011 that, unlike Kerry-McCain (or California’s proposed Do Not Track Me Online Act), focuses on personally identifiable information (PII), without addressing behaviorally targeted advertising. Nonetheless, it does propose new legal obligations for commercial and non-profit entities that collect, sell, use, or disclose PII of more than 5,000 consumers during any consecutive twelve-month period.

Some of the bill’s requirements, for many covered entities, may sound like old hat. For example, they would have to establish clear and readily available privacy policies governing their collection, sale, and disclosure of PII, and follow other requirements that have become conventional in bills oriented towards the Federal Trade Commission’s Fair Information Practice Principles (FIPP) (for more on the principles, see the FTC principles, here. But the bill’s requirements do invite participation in self-regulatory safe harbor programs.  Covered entities create a presumption of compliance if they create and maintain a self-regulatory program that is approved by the FTC. Once approved, programs would have five-year terms. The regulatory program would have to contain a process ... Continue Reading

FTC “Reminder” About ID Theft Red Flag Compliance

Posted in Data Protection, Policy and Regulatory Positioning

Our recent Advisory Bulletin recounts how the FTC recently issued issued a gentle reminder that companies should be well along in getting their Identity Theft Red Flag programs in place in anticipation of the November  2008 compliance deadline.  The FTC’s notice announced that it also has launched an outreach effort to explain the rules, which included publication of a very general alert on what the rules require and what types of businesses must comply.... Continue Reading

Some State Data Encryption Requirements More Effective than Others

Posted in Policy and Regulatory Positioning

Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.... Continue Reading

FTC Data Security Consent Decree Suggests Minimum Steps Companies Must Take

Posted in Cyber and National Security, Data Protection, Financial Services, Global, Marketing and Consumer Privacy, Policy and Regulatory Positioning

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC’s view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers’ credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.... Continue Reading

California Breach Disclosure Law Now Covers Medical Records

Posted in Cyber and National Security, Healthcare, Marketing and Consumer Privacy, Policy and Regulatory Positioning

By Charlene Brownlee

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California’s data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of “personal information” and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.... Continue Reading

FTC Announces “Crackdown” on Do-Not-Call Violators

Posted in Marketing and Consumer Privacy, Policy and Regulatory Positioning

Posted by Ronald G. London

The Federal Trade Commission recently announced that as a result of a new crackdown by the agency on violations of the National Do-Not-Call Registry (“NDNCR”) and related provisions of the FTC’s Telemarketing Sales Rule (“TSR”), it entered several consent decrees with multiple companies totaling $7.7 million in civil penalties, with one complaint still outstanding. The FTC brought the enforcement actions against Craftmatic (purveyor of adjustable beds and mobility assistance scooters) and affiliated entities through which it conducts telemarketing, ADT for TSR-violative actions by authorized third-party dealers of its security systems, Ameriquest Mortgage Company, Guardian Communications and its prerecorded call vendor U.S. Voice Broadcasting, and Global Mortgage Funding. Each of the first four companies and their affiliated entities entered consent decrees with the government and agreed to pay substantial civil penalties (amounts provided below) and to injunctive relief prohibiting them from engaging in similar violations in the future, while the FTC’s complaint for civil penalties and injunctive relief against Global was to be filed.... Continue Reading

Identity Theft Enforcement and Restitution Act of 2007 Introduced

Posted in Data Protection, Policy and Regulatory Positioning

Posted By Joe Addiego

The Identity Theft Enforcement and Restitution Act of 2007 recently was introduced to the Senate Committee on the Judiciary by Senator Patrick Leahy, the Chair of that Committee. The purpose of the bill is “to enable increased federal prosecution of identity theft crimes and to allow for restitution to victims of identity theft.”

The bill is aimed at “malicious spyware, hacking and keyloggers,” as well as “cyber-extortion,” and it offers a number of remedies that may be pursued by both the government and individuals in response to occurrences of identity theft. For example, if passed into law, any use of spyware or keylogging that causes damages to 10 or more computers would be punishable as a felony.   The government also would be able to pursue more incidents of such cybercrime, as the bill would allow prosecution where the victim and alleged cyber-criminal are residents of the same state (the current version of the law would require the theft to occur over interstate or international borders). Further, victims of identity theft would have the right to seek “criminal restitution” from the perpetrator for the time and expense related to the victim’s efforts to restore their credit that ... Continue Reading

FTC Changes Duration of National Do-Not-Call Registrations

Posted in Policy and Regulatory Positioning

Posted by Ronald London

The Federal Trade Commission today announced through a statement by Chairman Deborah Platt Majoras  and in related testimony before Congress that it will not remove any telephone numbers from the National Do Not Call Registry (“NDNCR”) notwithstanding that it previously stated in adopting the NDNCR rules that such registrations are to last only five years. That decision was the result of deliberative consideration of constitutional and statutory imperatives not to unduly interfere with legitimate telemarketing, how long numbers remain registered on the various state do-not-call lists, and the fact that the telephone subscriber who places a number on this list may well move or otherwise change his or her number, leaving it to be “recycled” to a new subscriber who did not initially placed it on the NDNCR and may or may not want to be listed. Indeed, the record at the time reflected that 16% of all phone numbers change each year, and 20% of all Americans move each year. The FTC decided that, on balance, given the needs of legitimate telemarketing, the frequency with which telephone numbers are recycled, and the fact that not everyone would want their number on the NDNCR, five years was the ... Continue Reading