The Hannaford breach is unique to the extent that credit card numbers were stolen while the information was in transit, or at the point of sale.  This represents a new more sophisticated line of attack, exposing the vulnerabilities in the communication between cash registers and branch servers, as Neal Krawetz of Hacker Factor Solutions has warned in research.

The method contrasts with the usual mode of attack, which targets data sitting in databases, as was the ca se in the record-setting theft of information from Massachusetts-based TJX Cos in 2005 and 2006.  That breach compromised 45.7 million accounts of customers of T.J. Maxx and Marshalls stores and now forms the basis of a pending federal consumer lawsuit in Boston.

Hannaford states that its breach occurred between Dec. 7, 2007 and March 10, 2008, but notes that while the breach was ongoing, the company was found to be in compliance with the relevant industry security standards.  “We have taken aggressive steps to augment our network security capabilities,” Hannaford president and CEO Ronald C. Hodge said in a statement on March 17.  “Hannaford doesn’t collect, know or keep any personally identifiable customer information from transactions.”

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

Unlike the Nevada statute, Michigan Senate Bill No. 1022 would require businesses to encrypt stored consumer data. The Michigan bill would, among other things, amend the state’s “Identity Theft Protection Act,” MCL 445.71-.72, by prohibiting the following conduct:

(e) If the person collects personal identifying information in the regular course of business and stores that information in a computerized database, failing or neglecting to store that information in the database in an encrypted form, in conformity with current industry-standard encryption methods and capabilities.

This prohibition would make it unlawful to fail to encrypt consumers’ personal information stored in digital form and to fail to use “industry-standard encryption methods and capabilities.” The latter prohibition should prevent businesses from deploying out-of-date encryption programs and from using deficient encryption procedures. It is important that businesses be required not only to encrypt stored data but to do so competently. See, e.g., Mike Chapple “Lessons Learned from TJX: Best Practices for Enterprise Wireless Encryption”  (December19, 2007) (reporting that the data theft of payment card data at TJX has been linked to the company’s use of the flawed WEP encryption program and to other errors). 

The proposed Michigan statute also includes, at section 16, authorization for financial institutions to bring civil actions for card replacement and other costs against persons who maintain computerized databases that contain personal information if a security breach of the database occurs. Section 16 of the Michigan bill is similar to Minn. Stat. 365E.64, which was adopted last year. See Randy Gainer, “State Laws to Shift Some Data Breach Costs to Businesses with Weak Security” (May 25, 2007).

Two bills pending in the Washington State legislature, Substitute House Bill 2838 and Senate Bill 6425, would also authorize financial institutions to recover such costs from persons who must disclose data breaches. See section 1 of Sub. HB 2838 and section 6 of SB 6425. 

Section 4 of pending Washington SB 6425 would also require businesses that collect or store computerized personal information in connection with payment cards to “comply with payment card industry data security standards established by the PCI security standards council.” Requirement 3.4 of the current version of the PCI Data Security Standard (PCI DSS) mandates that the primary account number of payment cards must be protected while in storage by encryption, hash indexes, truncation, or index tokens and pads. Requirement 4 of the PCI DSS mandates that card information be encrypted when it is transmitted over easily accessible networks. Proposed Washington SB 6425 would, therefore, effectively require encryption for payment card data in transit and require either encryption or other data-masking measures for payment card primary account numbers while they are in storage.  

The election season may be in full swing, and the buzz about the recent Superbowl at full throttle, but heated debates and bravado are not just limited these days to politicians and athletes.  Recently, search engine vendor Ask.com and its supporters have come out swinging against several privacy groups over a complaint they recently filed that requested the Feds to forcibly pull the plug on a new feature called AskEraser. As Nicholas Graham, a spokesman for Ask.com stated: [The complaint] merits a 15-yard penalty for unsportsmanlike conduct.

Immediately thereafter, the Center for Democracy and Technology (CDT), a Washington-based think thank, voiced its support for Ask.com by sending a letter to the Federal Trade Commission urging it to dismiss the complaint as "unfounded."  In the letter, CDT defended Ask.com, stating that it "had proactively addressed or is in the process of addressing the concerns previously raised by the petitioners that are within [its] control. "

At time of launch, AskEraser aspired to let users ask for their search activity data not to be retained on the company’s servors. Ask.com claimed that when enabled by a user, AskEraser would completely erase search activity data from the system, including IP addresses, user IDs, session IDs and the text of all queries.

But the coalition claims that Ask.com's proclaimed aspiration and implementation were deceptive. It claimed that while Ask.com portrayed itself to be "serious about privacy" and "committed to meeting and exceeding emerging privacy trends," it failed to prevent or regulate the collection and use of user Ask.com searches by third-party advertising companies. The only way for a user to prevent such collection would be to visit each third-party site and disable cookies on those individual Websites. On a related vein, in order to enable AskEraser, users first needed to accept an opt-out cookie, which, in itself, was a persistent unique identifier. Plus, the coalition argued, Ask.com reserves the right to retain user search data in case of a court order without informing users.

 The debate, for now, will continue in court . . .

The FTC recently announced a consent decree with online retailer Life is good (www.lifeisgood.com) that offers insight into what that agency may believe are the bare minimum steps companies must take when making the kind of generic we-protect-the-information-you-give-us statements found in most privacy policies. The FTC claimed Life is good offered such reassurances but failed to have in place sufficient measures (from the FTC's view) to back them up, based on the ability of a hacker to use SQL injection attacks on Life is good’s website to access consumers' credit card numbers, expiration dates, and security codes. To resolve allegations in a draft complaint the FTC had prepared alleging unfair trade practices, Life is good settled the claims by entering a consent decree requiring it to adopt a comprehensive information-security program and obtain biennial audits by an independent third-party security professional … for the next 20 years.

Significantly, the FTC pursued Life is Good based not on allegations that it violated any privacy- or financial-services-specific law or regulation (such as the FTC’s Financial Privacy or Safeguards rules), but rather under the agency's generic unfair-trade-practices authority, to proceed on a theory that the company made representations to the public in the course of soliciting and entering commercial transactions, then failed to honor its representations. According to the FTC's press release, Life is good collected sensitive consumer information including names, addresses, credit card numbers, credit card expiration dates, and credit card security codes, pursuant to a privacy policy that claimed: “We are committed to maintaining our customers' privacy. We collect and store information you share with us - name, address, credit card and phone numbers along with information about products and services you request. All information is kept in a secure file and is used to tailor our communications with you.” The FTC alleged that Life is good failed to honor this commitment because it:
• unnecessarily risked credit card information by storing it indefinitely in clear, readable text on its network, and by storing credit security card codes
• failed to assess the vulnerability of its website and computer network to commonly known and reasonably foreseeable attacks, such as SQL injection attacks
• failed to implement simple, free or low-cost, and readily available security defenses to SQL and similar attacks
• failed to use readily available security measures to monitor and control connections from the network to the Internet
• failed to employ reasonable measures to detect unauthorized access to credit card information

The consent decree has the standard provision that the company will no longer violate the FTC Act, but in addition, the above-referenced "comprehensive information-security program" that Life is good must institute requires administrative, technical, and physical safeguards tailored to the size of Life is good as a commercial entity, the nature of its activities, and the sensitivity of the personal information it collects. Specifically, the consent decree mandates an information-security program that includes:
• designation of an employee or employees to coordinate the information security program
• identification of internal and external risks to the security and confidentiality of personal information and assess the safeguards already in place
• creation and implementation of safeguards to control the risks identified in the risk assessment
• monitoring the safeguards' effectiveness
• development of reasonable steps to select and oversee service providers that handle personal information of Life is good customers.
• evaluation and adjustment of the program to reflect the results of monitoring, material changes to the company’s operations, or "other circumstances" that may effect program efficacy
• bookkeeping and record-keeping to facilitate FTC monitoring of compliance with the consent decree
Further, the above-noted independent, third-party security auditor that Life is good must employ biennially for the next 20 years, will be required to certify the security program meets or exceeds the requirements of the consent decree, and is operating with sufficient effectiveness to provide reasonable assurance of the security of consumers’ personal information.

While the duration and reach of the information-security program’s terms mandated by the consent decree may be heightened in part as a result of Life is good having been open to a hacker’s attack that resulted in a compromise of consumers’ sensitive data, the basic framework suggests what security measures the FTC believes most companies should have in place. It indicates that, in general terms, a company should have an employee (or, if necessary, several employees) charged with oversight of securing the sensitive personal information the company collects, routine information-security risk assessments and establishment of safeguards against identified risks, and monitoring, bookkeeping and record-keeping that demonstrates the functioning and efficacy of the program. In addition, it appears the FTC expects companies take at least reasonable steps to ensure that third parties with which a company shares its sensitive information, have in place sufficient measures to ensure that nay sensitive data that is shared will be secure upon receipt by the third party.

The FTC’s announcement of the consent decree provides an opportunity for all companies that collect sensitive personal information, and that publicly make promises about how they safeguard that data, to re-evaluate their data security programs to ensure they are meeting at least the minimum steps the FTC appears to expect. The FTC’s Protecting Personal Information: A Guide for Businesses is a good resource in this regard as well.

California extended its data breach notification law to include incidents involving electronic medical and health insurance information. California's data breach law, SB 1386, had previously covered only financial records. The new law, AB 1298 took effect January 8, 2008. The law adds medical and health-related information to the existing breach notification law definition of "personal information" and expands the application of the Confidentiality of Medical Information Act (CMIA) to include any business organized for the purpose of maintaining medical information.

• It applies prohibitions of the Confidentiality of Medical Information Act to any business organized for the purpose of maintaining medical information for treatment or diagnosis. 
• It permits a consumer reporting agency, regardless of the existence of a security freeze, to disclose public record information lawfully obtained from an open public record to the extent otherwise permitted by law. This provision stems from a recent court decision which threatens to eliminate the "freeze access" law in California without this change. These provisions do not prohibit the consumer reporting agency from electing to apply a valid security freeze to the entire contents of a credit report. 
•  It adds “medical information” and “health insurance” information to the definition of “personal information” that, if acquired by an unauthorized person, would require notification of the security breach. 
  •  “Medical Information” is defined as “any information regarding an individual’s medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.” 
  •  “Health Insurance Information” is defined as “an individual’s health insurance policy number or subscriber information number, any unique identifier used by a health insurer to identify the individual, or any information in an individual’s application and claims history, including any appeals records.” 
•  AB 1298 adds unencrypted medical histories and information on mental or physical conditions or diagnoses to the types of records covered by the California breach notification law. Unencrypted insurance policy or subscriber numbers, applications for insurance, claims histories and appeals are also now covered. 
• It is important to note that these new provisions are not limited to health care providers, but may affect any employer or other entity with computerized employee benefits or other health data.
  

After a brief introductory “Overview of Behavioral Advertising” that served as Session 1, Dave Morgan of TACODA, Inc. argued that behavioral advertising represents the onset of a period of advertising where consumers receive ads intended to be more “relevant” to their interests and needs. In other words, consumers receive fewer, but better tailored contacts, because advertisers can offer focused, well-targeted ads. He suggested that innovations in behavioral advertising protect privacy by providing more tools and greater privacy choices, and noted that because consumers have greater privacy controls they are driving the market for online service and retailers engaged in behavioral advertising must heed these consumer preferences. Michael Walrath, of Yahoo!, discussed the benefits of behavioral advertising, suggesting that behavioral advertising does nothing more than allow Yahoo to know their customers – a common objective of all marketing activity. 

Google’s Tim Armstrong asserted that the behavioral advertising business model revolves around the establishment of consumer trust. Retailers can not employ these advertising tools if the customers do not trust the retailer’s business practices. He argued that, because this is a very competitive business environment, there is a significant amount of consumer choice, and consumers can walk away from the advertising at any time (simply by discontinuing use of certain services).   An advertising firm operating in Europe, Net Mining, discussed its practices operating within the EU’s current privacy directives and how they differ from most US-based companies’ approaches. The impact of the EU directives on the behavioral advertising business model include limitations on cookie profiling of online visitors (must be anonymous), limits on site specific score-based advertising (again, must be anonymous), and ensuring that behavior driven interactions are appropriately scrubbed to ensure anonymity.

Pam Horan, of the Online Publishers Association, argued that behavioral advertising enhances user experience by offering targeted advertising that the user values more than ads not relevant to the user’s interests. She suggested there is a “value exchange” between advertisers and consumers because these practices provide revenue sources for the online publishers, thereby making available the content and services offered through web sites provided by online publishers. Ralph Terkowitz, a General Partner at ABS Capital Partners, asserted that economic incentives for behavioral advertising are different from traditional marketing because the means of delivery of such ads (over the Internet) has dramatically reduced, if not eliminated, the costs of delivering the ads. Finally, to conclude this session, Oregon State University’s Carlos Jensen offered evidence that the use of online tracking tools, including web bugs and cookies, is increasing dramatically in the U.S., but actually decreasing in Europe. Although the implications of these findings were not clear, Jensen seemed to suggest that online commerce in Europe continues to develop at the same pace as commerce in the U.S., and that use of behavioral advertising techniques is therefore not essential to continued development of innovative and commercially valuable applications and content.

Session 3: Consumer Survey Data

In this session, George Milne, an Associate Professor of Marketing at the University of Massachusetts-Amherst, reported on a survey of consumers, marketing managers and direct marketers who were asked whether they wanted to allow information gathering technologies to gather information, and if so, whether they preferred opt?in procedures, opt?out procedures, or no permission tools at all. The survey revealed that most consumers want to control the technologies used by marketers (45% did not want to allow use of the technologies and nearly 35% wanted an opt?in framework). Consumers expressed greater concerns with new technologies than those that were more familiar. Generally speaking, consumers did not want to allow information gathering technologies while marketing managers preferred the opt?in option, and direct marketers preferred the opt?out option. 

Larry Ponemon then reported that 8% of the population is “privacy?centric,” meaning they care deeply about privacy, 72% are “privacy?sensitive,” meaning that they care about privacy but not to the extent that it changes their behavior, and 20% (generally younger people) are “privacy complacent,” meaning they do not care about the sharing or selling of their private information. Consumers associate negative connotations with the word “cookie,” especially in a privacy policy, although the greater the consumer’s knowledge of cookies, the less negative the perception and the more likely a consumer is to opt?in. Mr. Ponemon summarized that (1) consumers want to have more control over their personal information, although an online ad that targets their preferences improves their online experience; (2) consumers do not want to pay for “free” Internet content or services; and (3) cookie deletion is declining, which may mean that consumers are more complacent.

Session 4: Data Collection, Use and Protection

This session allowed company representatives to express concerns about consumer privacy and to discuss how their firms build privacy protections into their respective architectures. They described ongoing internal reviews of their systems that are performed to maximize consumer privacy protections. 

A representative of the U.S. Public Interest Research Group said that, never?theless, serious problems persist for consumers when they go online, and added that consumers reveal much more information about themselves online than they realize, and much more than they would in the real world. Consumers need to realize that every bit of information gathered about them has value. They should know what infor?mation is collected and what happens to that data. A representative from the Office of Privacy Commissioner in Canada noted that unlike the U.S. in the E.U. and Canada the government super?vises the collection and use of data. Panelists noted that while it is more trouble to anonymize data, it certainly can be done. The increasing ability to collect personal information in real-time makes consumer control of data even more important. 

In response to audience questions, the panelists emphasized the need for transparency, stating that the information collection industry needs to be clearer with people about what companies are doing with their data.

Session 5: Roundtable Discussion of Data Collection, Use and Protection

During the roundtable, a variety of companies and other entities defended their information practices while others pointed out weaknesses in overall practices, emphasizing a common consumer view that companies fail to provide clarity (a.k.a. “transparency”) with respect to information practices.

Participants shared concerns about teens’ social networking. Observers assert that teens do not know that everything they say or do on social networking sites is available to marketers. Panelists felt that rules are needed on access to teens’ information and privacy disclosures to kids, and that teens do not understand behavioral targeting. Facebook noted that information is not being sold but this does not mean the information is not being collected. Panelists opined that people below age 25, especially those below age 18, believe anonymity is a substitute for privacy.  Many panelists believed teens do not even think of privacy when they are on Facebook. (Since then, the flap over Facebook’s privacy practices and its Beacon program shows that that many young people are in fact concerned with privacy.) 

Some participants believe that no one reads privacy notices, so to say that a site has a good, clear privacy policy is meaningless. Many felt that a better way to educate consumers needs to be developed.

The session also revealed that, among companies and consumers, considerable difference of opinion exists as to who owns personally identifiable information (“PII”). Some stated that a major issue – if not the major issue – is data security, pointing to concerns about misuse of data when it falls into the wrong hands.

Session 6: Disclosures to Consumers

This session focused on privacy policies and similar statements of companies’ online practices concerning user data. The session also addressed the generation of targeted advertising and the efficacy of such industry efforts. Lorrie Faith Cranor, an Associate Research Professor at Carnegie Mellon, began the session with a short presentation exploring the disconnect between consumers’ statements that protecting their privacy online and in related contexts is important notwithstanding their lack of effort to avail themselves of available tools to safeguard their privacy. Ms. Cranor offered two main explanations for this contradiction: first, that some consumers do not appreciate the impact of some of their online behavior on their privacy, and second, the direct and indirect costs of taking privacy?protecting steps are too high. She also cited studies that show that privacy policies tend to be too difficult to understand, in part because they require college?level reading skill, and in part because they contain too much “legalese.” Research indicates that consumers dislike even well?written privacy policies which can have little utility due to consumers’ low comprehension.   Research indicated that consumers tend to place greater trust in longer written policies based on their often-misplaced belief that those policies are more privacy?protective.

The session also included open panel and question?and?answer discussions that focused heavily on policy rather than regulatory concerns. The conversation examined practices and still?developing plans of specific major online entities represented on the panel. Panelists agreed that consumers place a premium on companies’ transparency practices and the degree of consumer data control. There appeared to be substantial support for a model wherein the more intensive the use of a consumer’s PII, the more frequently consumers should receive a concomitant opportunity to opt out, presented in an obtrusive manner. Examples included reminder pop?ups associated with the Google toolbar, and eBay’s recently launched initiative to “tag” ads, provide pop?up with its ad policy, and continuously provide links such as “why am I receiving this” with the ads.

Extended discussion ensued regarding methods to get consumers to read and appreciate posted privacy policies, though there was also a recognition that there is only so much companies can do to “force” consumers to take an interest and act on it. Moreover, there was debate about what the right metric should be for a privacy policy’s efficacy, i.e., whether users actually take the time to read it, or whether specific information is available when a consumer wants to find it.

Some panelists suggested that some common privacy messages are not useful for consumers, including the phrase that a website “shares your information with certain trusted third parties.” This statement tells consumers nothing about who is receiving their information, what they are using it for, whether it is being combined with other information and the origin thereof, or what the third parties have done to be deemed “trusted.” As an overarching matter, however, most agreed there must be a way for consumers to identify and track their “digital identity” across multiple online (and offline) environments. The panel discussed the prospects that government regulation of privacy standards and notices might be worth examining. A number of panelists agreed that the market is leading to development of private self?regulatory initiatives.

Regarding specific practices, panelists agreed that reaching a consensus on symbols and messages across websites would help increase transparency (e.g., having an icon attached to ads that stands for “ad” and associating the ad with a pop?up or pop?under with information about how the ad relates to the PII collected). Conversely, consumer advocates suggested more robust links with messages like “click here to learn more about how your personal information is used by this website” rather than, for example, simply “privacy policy” or “learn more.” Industry panelists were lukewarm to the idea. They stressed that online, “every pixel counts,” whether it is maximizing revenue, communicating information, or just presenting white space to enhance the readability and overall impact of a site. 

Session 8: The Regulatory and Self?Regulatory Landscape

This session demonstrated that companies believe the industry as a whole is doing an excellent job protecting consumer privacy, and that many believe the Network Advertising Initiative (“NAI”) plays a useful, if voluntary, role in creating best practices for the industry. Consumer groups, on the other hand, believe the NAI and its opt?out cookie are not working, that technology has passed-by the NAI, and that the industry is not effectively self?regulating. Advocacy groups describe consumers as generally unsophisticated and in need of education on the ways companies track and target them.   

Panelists discussed the do?not?track model as an alternative to the current practice of notice and choice, but some companies thought it might be technologically challenging to implement. Consumer groups liked the idea of having one place a consumer can visit to avoid being tracked, although as proposed, some thought it put too great a burden on the consumer. Until the very end, when one speaker said that consumers need enforceable rights, there was really no suggestion that the government needed to step in to create a more consumer?friendly environment beyond the current industry self?regulation, even if that self?regulation may be less than perfect.

Session 9: Roundtable on the Future of Behavioral Advertising

The final session centered on the tracking and profiling of consumers: how they are tracked, who is tracking them, and what the business and legal consequences could be.

Katherine Albrecht, Director of CASPIAN, spoke about the future of Radio Frequency Identification (“RFID”) tags. RFIDs are likely to increase in both number and sophistication. She posited that soon a company may be able to identify all of the items inside of a purse, when and where each item was purchased, and who owns the purse – all through RFID tags. This level of tracking may have negative implications for consumers, many of whom do not know what RFID tags are. One possible negative consequence is price discrimination against consumers whose purchasing behavior makes them less profitable than others.

Jules Polonetsky, Chief Privacy Officer from AOL, spoke about the future of cookies as identifiers of consumer behavior. He said that while cookies are useful for advertising, they are not as useful for data collection or tracking. Many cookies are blocked by anti?spyware programs, and others are removed by people who are proficient with browser controls. Mobile devices, where many people think the future of behavioral advertising lies, do not yet have cookies, in part because the devices are not “granular” enough, but likely will support cookies in the near future. This means that, for now, it is not easy to pinpoint a mobile’s location within a small area beyond using the location-tracking abilities (for enhanced 911 purposes) that the devices already feature.

Alissa Cooper of the Center for Democracy and Technology noted that ISPs are in a commanding position to gather, use and market data reflecting online behavior but doing so will create a complicated set of issues. Another panelist said that while consent and notice issues between consumers and websites are complex, issues between consumers and ISPs are even more complex. This is because unlike ad networks, ISPs’ documenting and analyzing of data that flows through their systems may violate wiretap laws. Panelists noted that content-based wiretapping laws may apply when ISPs monitor e?mail, but this may not be the case when the ISPs collect internet protocol (“IP”) addresses. 

Some presenters argued that end users are often sophisticated, and prefer to choose their level of privacy protection. For example, in social networking sites such as Facebook, users can choose to provide information about themselves to anyone on the site, or they can choose to restrict the information to only those users they permit to see it.

Ever since the computer was invented, people have wondered when such machines would be able to think. In 1950, mathematician Alan Turing suggested a simple test for computer intelligence: if a computer can fool a human being into thinking it is also human, said Turing, the machine should be considered intelligent.

Turing died in 1954 but must have rolled over in his grave last week when the Turing test's reputation hit a new low: security analysts discovered a "sex chat" computer program so lifelike it was fooling customers into disclosing their personal data.The program is called "CyberLover" and exploits a technique long known to security researchers as "social engineering," a fancy term for manipulating users into disclosing information. What's new with this con is that the one doing the social engineering is a computer program. And a hard working one.  According to Ina Fried, citing a report from PC Tools, CyberLover "can work quickly, too, establishing up to 10 relationships in 30 minutes.... It compiles a report on every person it meets complete with name, contact information, and photos."

Of course, the user must volunteer this information, which raises another intriguing question: Are users that are naive enough to give out personal information to a computer sex-chat program able to pass the Turing test themselves?

The Federal Trade Commission recently announced that as a result of a new crackdown by the agency on violations of the National Do-Not-Call Registry (“NDNCR”) and related provisions of the FTC’s Telemarketing Sales Rule (“TSR”), it entered several consent decrees with multiple companies totaling $7.7 million in civil penalties, with one complaint still outstanding. The FTC brought the enforcement actions against Craftmatic (purveyor of adjustable beds and mobility assistance scooters) and affiliated entities through which it conducts telemarketing, ADT for TSR-violative actions by authorized third-party dealers of its security systems, Ameriquest Mortgage Company, Guardian Communications and its prerecorded call vendor U.S. Voice Broadcasting, and Global Mortgage Funding. Each of the first four companies and their affiliated entities entered consent decrees with the government and agreed to pay substantial civil penalties (amounts provided below) and to injunctive relief prohibiting them from engaging in similar violations in the future, while the FTC’s complaint for civil penalties and injunctive relief against Global was to be filed.

For Craftmatic, which agreed to pay a $4.4 million civil penalty, the second highest NDNCR fine ever, its attempt to use sweepstakes to create an established business relationship and/or obtain prior express consent to future telemarketing calls was insufficient to permit calls to the sweepstakes entrants who were on the NDNCR, and the FTC further alleged violations of its rule against “abandoned” telemarketing calls (i.e., those that connect to a consumer but disconnect before a live sales agent comes on the line), and that Craftmatic failed to honor company-specific do-not-call requests.

With respect to ADT, which agreed to pay a $2 million civil penalty, the FTC made allegations similar to those it made in brokering a $5.3 million settlement with DirecTV in 2005 -- that is, the company failed to exercise sufficient control over authorized third-party dealers selling its services through (among other means) telemarketing to numbers on the NDNCR, which in ADT’s case, were Alarm King and Direct Security services, who respectively agreed to pay $20,000 and $25,000 civil penalties. In addition, ADT’s consent decree required it, like DirecTV, to adopt a compliance program with detailed monitoring, record-keeping, and reporting requirements.

The complaint and consent decree for Ameriquest are somewhat opaque in alleging that it placed calls to numbers listed on the NDNCR and to consumers who had made company-specific do-not-call requests to Ameriquest, which agreed to pay a $1 million civil penalty. However, the FTC’s press release provides slightly more detail, basically that Ameriquest improperly relied on third-party lead-generators for TSR compliance, as has been the case with other telemarketers with whom the FTC has settled alleged telemarketing violations.

For Guardian Communications and U.S. Voice Broadcasting, which agreed to a judgment in the amount of nearly $7.9 million with all but $150,000 suspended due to inability to pay, the violations arose out of prerecorded messages, all of which the FTC treated as abandoned calls, while further alleging that Guardian failed to provide proper caller ID information and placed calls on behalf of entities that were required to pay NDNCR fees but had not done so.

The Global Mortgage complaint contains bare allegations that it placed calls to numbers on the NDNCR, without paying NDNCR fees, that it abandoned calls, and that it failed to transmit caller IDs. As noted, there is no consent decree for Global (and, moreover, the complaint recites that it filed Chapter 7 bankruptcy last year), so there are fewer details about this enforcement action than there are about those above.

Last week, under pressure from privacy rights activists, Vermont Senator Patrick Leahy introduced an amendment to the Wired for Health Care Quality Act [S.1693].  Until then, this bill was nurtured along by proponents of health information networks and was poised to be “hotlined” for unanimous consent without debate in Congress.  

The proposed amendment uses language familiar to those of you who have read HIPAA.  Terms such as “protected health information” and “notice of privacy practices” appear in both the HIPAA regulations and the proposed amendment. However, the definitions are dramatically different.  For example, the proposed amendment to S. 1693 includes genetic and biometric information in the definition of protected health information and expands it to information collected or used by health researchers, schools and universities, and employers.  The scope of HIPAA was limited to those traditionally engaged in the delivery of health care such as providers and payers.

Of course, there is no requirement that the federal laws and regulations of our nation be consistent, avoid duplication, or otherwise articulate a uniform policy or approach.  As a lawyer, I suppose I should be grateful for that.  Nevertheless, rather than appending the bill intended to develop health information networks with privacy provisions that duplicate and/or contradict the HIPAA regulations, the more rational approach would be to address privacy concerns in an amendment to HIPAA and extend the application of HIPAA to health information networks.  

There are some privacy provisions unique to the concerns of information available and shared through a health information network that are appropriate to retain in the legislation and proposed amendment.  Mandatory notification of security breaches to the network and opt-out rights are specific privacy and security safeguards for the storage and exchange of electronic health records in such networks and addressed in the S. 1693 proposed amendment.

It may sound like a public health warning, but apparently a late night with an illicit movie downloading site can leave you with a very nasty infection.

What does this mean?  That screenwriters are morons, of course -- there's simply no chance those aliens zipped across the galaxy, took out our nukes, but forgot to install McAfee or Norton.  But that's all been noted before.  Let's instead take this as a cautionary tale anyway: No matter how much you LUST after free downloads, always use CAUTION.  Although downloaders of free pornography have known this for some time, apparently they're not as vocal a group as Chines movie buffs.  Who knew? 

Of course, while some sites may simply be doing their part in making sure that Ang Lee's message gets shared with the world with no remuneration for Mr. Lee, is it really that surprising that sites offering free downloads of any hot content may be luring users in for some other purpose? 

Still, the temptation to download here may be particularly acute.  Ang Lee was forced to "personally cut on-screen sex and other scenes in Lust, Caution to allow it to pass Chinese censors and screen on the mainland."  One assumes the free downloads are uncensored versions.  Given that Chinese doctors also have been dispensing medical advice warning moviegoers "not to try some of the more ambitious sexual positions featured in the uncut version of the film", the dangers of Lust, Caution seem to be pretty severe all around.

At least the downloaders in China don't have to stare at Jeff Goldblum as their mothership goes up in flames around them.  Now that would be sick.

Web users may be better able to travel incognito online by the end of the year. 

AOL unveiled a new program last week that is designed to help webusers shield their online travels from advertisers. This technology would allow users to opt-out of online ads that are targeted to them based on their Web-surfing habits. The program aspires to “engender greater trust for targeted advertising by communicating with consumers in a more visible way, and by providing them more information about their choices,” stated Curt Viebranz, president of AOL’s ad platform.

The new program comes at a time when consumer privacy groups are demanding increased regulatory oversight of online advertising. Groups such as the Center for Democracy and Technology, the Electronic Frontier Foundation, and Consumer Action recently sent a proposal to the Federal Trade Commission requesting that it oversee a mandatory “Do Not Track” registry that would ban companies from tracking online users for purposes of sending behaviorially-targeted ads. Relevant to that proposal, last week the FTC hosted a two-day town hall meeting entitled “Ehavioral Advertising: Tracking, Targeting, and Technology.”  There, representatives of companies including Facebook and Google, advocacy groups and trade organizations convened to discuss present-day and future issues surrounding digital consumer data.

An article about the upcoming AFI Festival in last Friday’s Los Angeles Times focused on a controversy around one of the film festival’s productions by Adam Rifkin titled “LOOK.” 

The description for this movie set forth in the AFI Festival Guide states: “There are approximately 30 million surveillance cameras in the United States capturing covert images of average Americans as much as 200 times a day. They're watching in department stores, gas stations, changing rooms, public bathrooms — seemingly no one and nowhere are free from the dispassionate eye of the hidden camera. LOOK pieces together this rush of information, finding several provocative, interwoven storylines amid the noise of life in a random city.” To drive home the point, a photo that accompanies the description depicts two scantly clad young women in a department store dressing room.

The photo is not as shocking as the premise that someone could make an entire film ‘peeping’ through the lens of a surveillance camera. There appears to be a disconnect between what the public generally perceives as ‘private’ and what is in fact private. The movie makers apparently make this point by violating the average person’s notion of personal privacy. In a review of LOOK, Lane Kneedler writes:

“No one is spared from the relentless, unblinking eyes of the surveillance cameras that are now hidden in every nook and cranny of day-to-day American life. The average citizen is captured nearly 200 times a day—in department stores, gas stations, changing rooms, and even public bathrooms. Shot entirely from the point of view of the security cameras, Adam Rifkin's film reveals the things people do when they don’t know they’re being watched.”

In a statement responding to the article, Mr. Rifkin claims that it is legal in 37 states to have video cameras in public dressing rooms and bathrooms.   I did not verify whether this claim is accurate. Nevertheless, it is disturbing that surveillance cameras capture unsuspecting individuals in private situations and raises the question on the appropriate level of government regulation and oversight on these activities. 

Until then, remember that Big Brother Hollywood is watching . . .