Privacy & Security Law Blog

Privacy & Security Law Blog

Legal Commentary and Resources for the Payment Industry

Insight & Commentary on Information Management and Protection

Category Archives: Technology

Subscribe to Technology RSS Feed

General Counsel, Is Your Website Vulnerable?

Posted in Cyber and National Security, Technology, Workplace Privacy

A report just released by security startup, Menlo Security, found that one-third of the top one million websites have already been compromised with malware or are running outdated or unpatched software that is vulnerable.

The problem is two-fold:

1. Does your website contain vulnerabilities?
As the report notes, these website vulnerabilities are easily detectable by hackers. In fact, information about the software running on your website (e.g., web servers, content management systems, application frameworks) is readable by any standard browser and can easily be cross-referenced against publically available lists of known vulnerabilities. If you website software is out of date, you are a potential target.

What can you do? Your technical and security teams should have formal processes for scanning your website for new vulnerabilities and making sure that all website software is promptly patched and updated. Simply running the most current version of the software can help eliminate many of the known threats.

If you find that your website has been compromised, have a prepared incident response plan that has been tested so that you can react quickly. Companies that are able to identify and response to security incidents in a quick and comprehensive manner are usually ... Continue Reading

Advisory Alert: FTC Staff Report on Internet of Things

Posted in Marketing and Consumer Privacy, Technology

The Federal Trade Commission released its much anticipated staff report on January 27 regarding consumer privacy and data security concerns arising from the emerging market for connected devices known as the Internet of Things (“IoT”). Titled “The Internet of Things: Privacy and Security in a Connected World,” the FTC’s report (the “Report”) builds on the FTC’s November 2013 IoT Workshop and focuses on issues arising from the estimated 25 billion consumer-facing IoT devices expected to be connected by the end of this year. The Report presents the FTC staff’s recommendations and best practices for enhancing privacy and security in the consumer IoT space, but does not resolve some of the most significant issues presented by this emerging sector, including how to reconcile the growing tension between Fair Information Practice Principles or “FIPPs”— such as notice, choice and data minimization – with technology that often lacks screens for notice and contains sensors designed to collect multiple streams of data at all times.

Continue reading here.... Continue Reading

Legal Departments: Are You Ready for The New PCI DSS Requirements?

Posted in Data Protection, Financial Services, Technology

Starting Jan. 1, 2015, the Payment Card Industry Data Security Standard (PCI DSS) Version 3.0 (click-through agreement required) will replace Version 2.0.  The PCI DSS is a set of requirements developed by the four major credit card networks and is designed to enhance the security of credit card transactions and cardholder data.  The PCI DSS requirements apply to any entity involved in credit card processing, including merchants, processors and service providers that store, process or transmit cardholder data.  In short, the PCI DSS applies to virtually all companies, big and small, that take credit card payments from consumers or help facilitate those transactions.

In November 2013, the PCI released Version 3.0 of the PCI DSS and made it available for voluntary use in January 2014.  During 2014, covered entities were permitted to use either Version 2.0 or the updated Version 3.0 in order to certify their annual PCI DSS compliance.  However, after December 31, 2014 covered entities will be required to use Version 3.0 for their attestation and internal compliance purposes.  Version 3.0 not only updates and clarifies existing requirements, but also includes several new requirements.

The PCI DSS rules are not just technical requirements.  The new requirements ... Continue Reading

Is Your Website Ready for California’s “Minor Eraser” Law?

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Starting on Jan. 1, 2015, California’s new “Minor Eraser” law goes into effect and allows minors in California to remove content or information that they have posted as a registered user on a website, online service, online application or mobile application (collectively, an “online service”).

Does this new law apply to your website? 

This new law will apply to online services in two instances – if your online service is directed to minors or if the operator has actual knowledge that a minor is using the online service.  This law defines “minor” as any person under 18 years old who resides in California.

The statute defines “directed to minors” as an online service, or any part thereof, that is “created for the purpose of reaching an audience that is predominately comprised of minors, and is not intended for a more general audience comprised of adults” (emphasis added); however, an online service is not “directed to minors” solely because it refers or links to another online service that is directed to minors, see Cal. Bus. & Prof. Code §22580(e).  It is important to note that a portion of an online service can be directed to minors if it ... Continue Reading

When Does Texting Become Autodialing?

Posted in Communications/Media, Technology

Seventh Circuit Provided Opportunity to Consider Just What “Capacity” Equipment Must have to Fall Within TCPA Restrictions

The U.S. Court of Appeals for the Seventh Circuit could entertain arguments on what “capacity” equipment must have to be considered an autodialer under the Telephone Consumer Protection Act (TCPA). An Illinois federal district court recently allowed Path, Inc. to pursue an interlocutory appeal of a summary judgment order finding the social networking service used an automated telephone dialing system (ATDS), as defined by the TCPA, to send unsolicited text messages to numbers gathered from users’ contact lists. If the Seventh Circuit agrees to hear Path’s appeal, it could beat the Federal Communications Commission (FCC) to the punch on an issue often at the center of the significant upswing of TCPA class action litigation.

The TCPA prohibits autodialed calls to cellular and other wireless phones, or other services for which recipients pay for calls, unless there is prior express consent or the call is for emergency purposes. The statute defines an ATDS as equipment having the capacity to store or produce phone numbers to be called, using a random or sequential number generator, and to dial such numbers. That definition was adopted in ... Continue Reading

COPPA’s “Safe Harbor” Grows with FTC’s Approval of iKeepSafe’s Self-Regulating Framework

Posted in Data Protection, Technology

The Federal Trade Commission (FTC) has announced that it approved iKeepSafe’s Safe Harbor Program application, allowing the company’s self-regulating framework to serve as a safe harbor under the Children’s Online Privacy Protection Act (COPPA) and the COPPA Rule. The approval comes five months after iKeepSafe originally submitted its safe harbor program application to the FTC.

Under the COPPA Rule, websites that target users under 13 must provide notice and receive verifiable parental consent before collecting personal information from children. Additionally, the COPPA Rule contains a “Safe Harbor” provision that allows industry leaders to develop safe harbor programs that, if approved by the FTC, automatically bring participants into compliance with COPPA’s requirements. The safe harbor option is meant to foster and support industry self-regulation while also advancing COPPA’s goals of guarding children’s privacy. In most circumstances, website operators that participate in an FTC approved safe harbor program will only be subject to the review and disciplinary procedures provided in the safe harbor’s guidelines in lieu of formal FTC investigation and law enforcement.

iKeepSafe’s Safe Harbor Program requires participating companies and organizations to follow five guiding principles. It requires participants to: (1) develop clearly written privacy policies describing what data is ... Continue Reading

U.S. District Court Dismisses Privacy Class Actions against Viacom, Google

Posted in Communications/Media, Technology

Google and Viacom’s,, and off the hook – for now

On July 2, 2014, New Jersey Federal District Judge Stanley R. Chesler dismissed six consolidated MDL class actions challenging Viacom’s and Google’s practice of installing cookies on personal computers that were used by children to access three Nickelodeon websites.  According to Plaintiffs, Viacom allegedly used its cookies to collect personally identifiable information (PII) on the children in an anonymized format without user or parental consent.  Viacom then allowed Google to access the data in Viacom’s “first-party” cookies, and also allowed Google to install its own “third-party” cookies.  Plaintiffs—all of whom were under thirteen years of age—alleged this data collection and sharing violated federal, California, and New Jersey law, including the federal Video Privacy and Protection Act (VPPA), Wiretap Act, and Stored Communications Act (SCA), as well as the California Invasion of Privacy Act (CIPA) and the New Jersey Computer Related Offenses Act (CROA).

Judge Chesler dismissed most of plaintiffs’ counts against Viacom and Google with prejudice, but gave the plaintiffs leave to file an amended complaint against Viacom to address the few claims that remain, including the claim that Viacom violated the VPPA. That may be little ... Continue Reading

UPDATE on Breslow v. Wells Fargo – Same as the Old Boss: Eleventh Circuit Withdraws Opinion Just Four Days Later, But to Little Practical Effect

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Just a few days ago, we reported on the Eleventh Circuit’s decision in Breslow v. Wells Fargo, which reaffirmed precedent that strict liability can arise in autodialer, prerecorded-message and texting suits under the Telephone Consumer Protection Act (TCPA), if a caller or texter obtained consent from the intended recipient, but that party’s cell number was reassigned.  We noted how this reinforced the Eleventh Circuit’s prior decision in Osorio v. State Farm to the same effect, and which in turn aligned the Eleventh Circuit on this issue with the Seventh Circuit under its decision in the Soppet v. Enhanced Recovery case.  Now, just days after it issued its ruling, the Eleventh Circuit – acting on its own momentum and not at request of the any of the parties – has withdrawn its Breslow decision.

In a short order, the Circuit Judges who decided Breslow vacated their original opinion, and held instead the prior Eleventh Circuit Osorio decision should have controlled in Breslow.  Specifically, the replacement Breslow decision observes that Osorio concluded that the “called party” for purposes of whether consent exists for an autodialed call or text or a prerecorded message is the subscriber to the cell phone ... Continue Reading

Summertime Blues: Eleventh Circuit Doubles Down on Strict TCPA Liability for Texts and Autodialed and Prerecorded Calls to Cell Phones

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Over the Spring, we reported on how the Eleventh Circuit’s decision in Osorio v. State Farm brought that court into alignment with the Seventh Circuit on how restrictions in the Telephone Consumer Protection Act (TCPA) on automated and/or prerecorded calls and texts to cell phones can effectively impose strict liability, even if a calling party believed it had consent for the calls.  Now that Summer’s here, the Eleventh Circuit reaffirmed and reinforced its Osorio ruling, and aligned with the Seventh Circuit even more closely, by holding in Breslow v. Wells Fargo that where a company gets prior express consent to prerecorded-call and/or auto-dial or auto-text a cell phone, the caller can still be liable if at the time the call is made the cell number has been reassigned to a new subscriber who did not consent.

As in the Seventh Circuit case of Soppet v. Enhanced Recovery, which we discussed here, the calls at issue in Breslow involved efforts to collect on an overdue account, this time by Well Fargo, which believed it had consent to call the cell number which, at the time of the call, was used exclusively by Breslow’s minor son.  Wells Fargo called the ... Continue Reading

Should Have Stayed on The Farm(ville): Class Action Plaintiffs’ ECPA Claims Put Out to Pasture

Posted in Marketing and Consumer Privacy, Technology

Ah, to be a class action plaintiff these days. One day you’re up, plowing through the Northern District of California on expansive theories of injury, the next you’re down, upended like a top-heavy apple cart by a failure to properly plead your claims under the relevant statute. In In Re: Zynga Privacy Litigation, it was the latter—a failure to properly allege that Facebook and Zynga wrongly disclosed the “contents” of communications, under the Electronic Communications Privacy Act (ECPA). The Ninth Circuit decision affirming the district court’s consolidated opinion in Robertson v. Facebook and Graf v. Zynga, issued on May 7, 2014, can be found here.

Privacy class actions have often suffered from a glaring defect: the inability to allege injury, which is required for Article III standing and jurisdiction. In other words, the class plaintiff has made adequate allegations that information was wrongly disclosed, but not that consumers have been harmed by the disclosure. However, as we have reported previously (see also here), the Northern District of California has tilled the soil for more class actions—at least in that court—by holding that violations of a statute that establishes privacy rights and provides for statutory damages, such ... Continue Reading

Brazil Enacts “Internet Bill of Rights,” Including Net Neutrality and Privacy Protections

Posted in Global, Technology
Brazil’s long-debated “Internet Bill of Rights” has finally become law. The legislation, which passed the Brazilian Senate unanimously in April, is intended to secure equality of access to the Internet in Brazil—i.e., Net Neutrality—and provide privacy protections for Brazilian users of the Internet. Experts hailed the law “for balancing the rights and duties of users, government and corporations while ensuring the Internet continues to be an open and decentralized network.”

The law, known as the Marco Civil da Internet or “Marco Civil” (in English, the Civil Internet Regulatory Framework) was first proposed in the Brazilian Congress in 2011, but received new significance in late 2013 after revelations that the U.S. National Security Agency had spied on the communications of persons across the world—including Brazilian President Dilma Rousseff. Rousseff signed the Marco Civil into law on April 23, 2014. The law goes into effect in July.

Commonly referred to in English as an “Internet Bill of Rights” or “Internet Constitution”, Brazil’s new Marco Civil provides for the freedom of expression and of content on the internet while also limiting the amount of metadata that can be gathered on Brazilian Internet users. The legislation also includes broadly worded protections for... Continue Reading

“Like” It Or Not–It May Not Matter

Posted in Communications/Media, Marketing and Consumer Privacy, Technology

Loading Facebook’s “Like” Button Sends Personal Information Even If Not Clicked, and That Alone Could Violate the Video Privacy Protection Act

Recently, a magistrate judge in the Northern District of California confirmed what many already believed: that information disclosed to third parties without appropriate consent or pursuant to a permitted exception “must identify a specific person and tie that person to video content that the person watched in order to violate the [Video Privacy Protection Act].” But Magistrate Judge Beeler did not stop there and clarified that the VPPA “does not say ‘identify by name’ and thus plainly encompasses other means of identifying a person.” So what could have been a sigh of relief in the Hulu Privacy Litigation may now affect numerous websites that contain streaming video clips or programs and which allow users to “like” those pages on Facebook or plug-in to other social media sites and applications. The court granted Hulu’s summary judgment motion with respect to its disclosures to comScore disclosures, but denied it with respect to Hulu’s Facebook disclosures, finding that material issues of fact remain and more information was needed to determine whether such disclosures were “knowing” or whether users had consented.... Continue Reading

Tax Extension Deadline is Another Opportunity for Email Fraudsters

Posted in Technology

Posted by Lance Koonce

Yesterday, my accountant called me to let me know that my 2006 federal tax return was complete, and that I was getting a refund. He then confirmed that he would be filing the return electronically after we finished our call.

This morning, the following email showed up in my inbox:

From:              Internal Revenue Service []

To:                   Koonce, Lance

Subject:            IRS Notification – Tax refund

After the last annual calculations of your fiscal activity we have determined that
you are eligible to receive a tax refund of $249.30
Please submit the tax refund request and allow us 3-6 days in order to
process it.

A refund can be delayed for a variety of reasons.
For example submitting invalid records or applying after the deadline.

To access the form for your tax refund, please click here

Internal Revenue Service

© Copyright 2007, Internal Revenue Service U.S.A. All rights reserved.

Now, I knew my refund was not for $249.30, unless my accountant did some seriously bad math.  But the proximity of the email after the e-filing almost convinced me this was legit. ... Continue Reading

Think You’re Safe?

Posted in Technology

Posted by Angela Kang and Jennifer Small

The latest RSA Monthly Fraud Report warns of a new “plug-and-play” phishing kit that can install a phishing site within two seconds. Creating a phishing site is now as easy as installing a “.exe” file. If that doesn’t ring any alarm bells, McAfee Avert Labs reports a 784% increase in phishing sites in the first quarter of 2007, with no slowdown in sight.... Continue Reading

Internet Scams Target Car Buyers and Sellers

Posted in Technology

Posted by Brian Bennett

Experts say that scam artists are targeting just about every internet web site for automobile sales. Warning signs that consumers should watch out for are:

1) the seller or buyer won’t provide contact information, or the information doesn’t check out;

2) the transaction involves a money wire or illegitimate escrow account; or

3) the deal sounds too good to be true.

Perhaps most important to keep in mind is that once you have given your account information, your money is gone.... Continue Reading

Chinese Bank Network Involved in New Phishing Tactic

Posted in Technology

Posted by Peter Mucklestone and Stuart Louie

As recently reported by Gregg Keizer at TechWeb News, Netcraft, a U.K.-based internet monitoring company recently uncovered the unauthorized use of China Construction Bank Corp.’s servers by online criminals to host “spoofed sites” in order to dupe customers of American banks and online retailers. China Construction Bank Corp. is one of China’s “Big Four” state-owned banks with more than 14,200 branches across China.... Continue Reading

Congratulations, You’re Entitled to a Refund . . . Now Hand Me Your Wallet

Posted in Technology

Posted by Lance Koonce

Perhaps I’m just cynical, but if the Internal Revenue Service sends me an email notice today saying that I have unexpectedly received a refund on my taxes, I will not rush out and start start shopping for that new car just yet. (Of course, maybe that’s because my taxes are never done until April 15th, so anything I receive from the IRS this early is clearly a fraud.)

But the IRS is not laughing at the surge in email phishing attempts designed to prey on people’s tendency to trust official-looking communications from the federal government.... Continue Reading

Need Another Reason to Hate Tax Season?

Posted in Technology

Posted by Merrill Baumann

It’s axiomatic that wherever large sums of money are changing hands, there will be scams seeking a piece of the action… and tax collecting is no exception. Not surprisingly, the IRS warns that numerous phishing scams abound, where the perpetrator asks for confidential information in exchange for tax refunds or some other benefit. So how do you protect yourself against these fraudsters? One of this biggest weapons is common sense. Legitimate commercial outfits no longer request confidential financial information by unsolicited emails. And in many contexts, including the IRS, simply ask yourself: Why are they asking for this information? Don’t they already have it?... Continue Reading

Phishing Scams Continue to Rise

Posted in Technology

Posted by Kraig Baker

Gartner reports that phishing attacks grew 28% from May 2004 to May 2005. Almost 2.5 million people reported losing money because of phishing attacks (and that’s just those that admitted to it) to the tune of $929 Million and 11 million people clicked on a phishing e-mail. Despite the increase, it doesn’t appear to me that phishing attacks have gotten that much more sophisticated. I think this is an outgrowth of people’s general fear of computers and gullibility with respect to the written word. People who fall victim to phishing are undoubtedly the same people who used to forward the Bill Gates chain letter.... Continue Reading

The Governator: Hasta La Vista, Phishers

Posted in Technology

Posted by Lance Koonce On Friday, Governor Arnold Schwarzenegger signed California Senate Bill 355, the Anti-Phishing Act of 2005, which makes phishing schemes illegal in California. The legislation states that “[i]t shall be unlawful for any person, by means of a Web page, electronic mail message, or otherwise through use of the Internet, to solicit, request, or take any action to induce another person to provide identifying information by representing itself to be a business without the authority or approval of the business.”... Continue Reading

Phishing in the Wake of Katrina

Posted in Technology

Looters are apparently not to the only persons seeking to benefit from the misery of others. The Salt Lake Tribune recently reported increasing incidents of phising in the wake of Hurricane Katrina. Within hours after Katrina devastated much of New Orleans, a flurry of Katrina-related domain name registrations were reported; many thought to be linked to bogus charities and fund-raising cons. (Example of possible phishing site described here). On eBay, sellers are auctioning Katrina-related domain names “promising” to donate a portion of the proceeds of the sale to flood relief efforts. Even the large financial markets are not immune.... Continue Reading