Last December, the revised Federal Rules of Civil Procedure (mandated by the Supreme Court) went into effect, establishing strict handling and production requirements for electronic evidence. eWeek reports that more than a year later, less than two-thirds of businesses are able to meet those requirements, which affect digital documents like email, word documents, and digital audio and video. A report by IT researcher Osterman Research shows that, for example, 53% of businesses do not have a policy governing email retention and deletion.
Monthly Archives: December 2007
Law article dissects the Sony rootkit fiasco.
The Magnificance of the Disaster, by Deirdre K. Mulligan and Aaron K. Perzanowski for the Berkeley Technology Law Journal, presents a well-written and thought-provoking analysis of the business and legal disincentives that lead up to Sony’s bugging their CDs with particularly invasive and insecure software that endangered its customers’ computer security and privacy and also violated a number of state spyware laws.
Pretexters settle with FTC
The FTC announced today that it has entered into a settlement agreement with the fourth of 5 companies charged in May 2006 with pretexting. The FTC’s complaint charged the companies with falsely obtaining subscribers’ telephone records (or pretexting) and selling them without subscribers’ knowledge or consent. The companies are barred from marketing or selling phone records and must disgorge ill-gotten gains.
First State Attorney General to file action under COPPA
On December 5, 2007, the Texas Attorney General, Greg Abbott, filed simultaneous law suits against two separate Web site operators, alleging violations of COPPA, the federal law protecting children’s privacy rights online (the Children’s Online Privacy Protection Act, 15 U.S.C. §§6501-6506 and the Federal Trade Commission’s implementing rule, 16 C.F.R. §312).
Recently, the Texas AG has been cracking down on companies’ data protection practices, in particular in the areas of data security and data disposal. In 2007 alone, the Texas AG filed about half a dozen lawsuits against companies for improper data disposal practices in violation of the Texas Deceptive Trade Practices-Consumer Protection Act and the Texas Identity Theft Enforcement & Protection Act.
The first of Abbott’s suits (against Future US Inc.) was filed by the AG’s Consumer Protection-Public Health Division (Texas v. Future US Inc., W.D. Tex., No A07CA-987LY, complaint filed 12/5/07). Future US Inc. is the owner of gamesradar.com. Gamesradar.com is a Web site that contains information and content relating to video games.
The complaint against Future US Inc. alleges that Gamesradar.com contains content that is targeted towards children under the age of 13, attracts children under the age of 13, and “includes content or allows access to content that is inappropriate for children” (e.g., violence and nudity). Among Gamesradar.com’s alleged COPPA violations, children under 13 are able to register at the site, during which they provide personal information such as first and last name, e-mail address, physical address, gender and date of birth. According to Abbott, the registration process does not include any screening process to exclude children under the age of 13 nor does it obtain any prior parental verified consent before collecting such information. In fact, according to Abbott’s complaint, when inputting an age, the drop down menu only allows the child to choose a birth year that would make them 13 years or older (i.e., the menu only includes years 1994 and earlier). Thus, not only does this method of obtaining age allegedly invite falsification (e.g., forcing a 10-year old to identify herself as 13 years or older), but it allegedly enables children under the age of 13 to register with the site and participate in the site’s activities without obtaining the legally-required parental consent. Furthermore, according to Abbott’s complaint, the site’s privacy policy is not compliant with COPPA and does not contain the disclosures and information required by COPPA.
The second lawsuit filed by Abbott’s office is against The Doll Palace Corporation, which operates a commercial Web site called, “The Doll Palace,” located at www.thedollpalace.com (Texas v. The Doll Palace Corporation et al., W.D. Tex., No. A07CA-988SS, complaint filed 12/5/07). According to Abbott’s complaint, the website allows children to create and play with web-based dolls, as well as engage in various interactive activities with such dolls, such as message boards, chat rooms and other forums. According to the complaint, the users are required to register and provide personal information including first and last name, e-mail addresses, birth dates and postal address information. For certain features of the site, the complaint alleges that the users are required to complete an extensive profile, including information relating to personal habits, access to the Internet and other personal details. Unlike gamesradar.com, the Doll Palace does include a parental permission procedure in the registration process, but such procedure allegedly does not comply with COPPA. According to the complaint, when a potential member is registering on the site and indicates that he or she is under the age of 13, he or she is met with a message that states, “You need a parent’s permission to continue. Is a parent with you right now?” If the child selects “Yes”, he or she is directed to a permission page that allegedly (1) only requires a click on “OK” to complete registration and (2) fails to include any of the disclosures and information required by COPPA (e.g., contact information for the Doll Palace, and information regarding how a parent can revoke consent at a later time). If the child prompts “No” when asked whether a parent is with him/her, the child is asked to submit an e-mail address for the parent, and is able to submit any e-mail address including the one he/she already submitted for himself/herself earlier in the registration process. [1] The e-mail sent to the e-mail address allegedly does not contain the information or disclosures required by COPPA, contains a link that takes the child to a web page that only requires a click “OK” to complete registration and makes no other attempt to verify parental consent. Furthermore, among other alleged COPPA violations, according to the complaint, the Doll Palace’s privacy policy fails to include all of the required disclosures, and is neither clearly nor conspicuously posted on the site, and the link for the privacy policy is in “the same font style and size as other links found at the bottom of the screen.
Reportedly, the Texas AG’s COPPA suits mark the first time that a state has filed an enforcement action under COPPA since its enactment in 1998. Under Section 6504 of COPPA, state attorneys general are permitted to bring such actions, but must notify the FTC before doing so. Historically, the Federal Trade Commission has enforced COPPA, and according to the FTC’s website, the FTC has filed 12 enforcement actions under COPPA since 1998. Texas’ actions may be foretelling of a new trend of state AGs becoming more involved in enforcing federal laws that protect consumers from privacy and information security infringements.
It is interesting to note that the FTC might not interpret this to be a violation of COPPA. According to the FTC’s report that accompanied its final rule under COPPA, the FTC understood and accepted that many children under 13 share an e-mail address with a parent, and would not preclude a web site from accepting as verifiable parental consent an e-mail from the same address as the child. However, when a site may “disclose” a child’s information to third parties, for example, through interactive activities on the site such as chat rooms and message boards, a higher standard of verifiable parental consent (i.e., more than mere e-mail) is required. (64 Fed. Reg. 59888 et seq.)
FTC settles with Adteractive
On November 28, 2007, the Federal Trade Commission issued a Press Release announcing its settlement with Adteractive, Inc., an large online marketer that advertises and markets its offers through e-mails and Web-based ads. Essentially, the FTC took action against Adteractive for violations of the FTC Act and the CAN-SPAM Act. The FTC’s complaint and final stipulated order were filed by the Department of Justice on behalf of the FTC in the U.S. District Court for the Northern District of California (United States of America (for the Federal Trade Commission), Plaintiff, v. Adteractive, Inc., doing business as FreeGiftWorld.com and SamplePromotionsGroup.com, N.D. Cal., No. CV-07-5940, complaint filed 11/26/07, stipulated final order filed 11/27/07).
The FTC’s complaint alleged that Adteractive used misleading tactics (including using spam e-mails with misleading subject lines) to lure consumers to its Web sites.
The e-mails sent by Adteractive to consumers allegedly contained subject lines such as “Test and keep this Flat-Screen TV” and “Congratulations! You’ve Been Chosen to Receive a Free $1000 Check!.” Adteractive’s Web-based ads also allegedly contained similar language that essentially promised that the consumer would receive free merchandise. According to the complaint, both the e-mails and the ads contained links that led consumers to Web pages operated by Adteractive or its affiliates, which led the consumers through a series of other Web pages, promotions and activities which required the consumers to enter additional personal information and/or accept and pay for a certain number of goods or services promoted by third parties in order to qualify for the merchandise promised to them in the original e-mail or ad. Some of these third party promotions included applying for and qualifying for credit cards and automobile loans.
According to the complaint, Adteractive failed to clearly and conspicuously disclose to consumers the material terms and conditions of its programs, including that consumers would have to incur financial and non-financial obligations in order to actually receive the so-called "free" gifts and prizes it offered. The FTC claimed that such failures violated Section 5(a) of the FTC Act, which prohibits unfair or deceptive practices. Additionally, the FTC alleged that Adteractive violated the CAN-SPAM Act by initiating commercial e-mail messages “that contained subject headings that would be likely to mislead a recipient, acting reasonably under the circumstances, about a material fact regarding the contents or subject matter of the message.”
The settlement requires that Adteractive clearly and conspicuously disclose in its e-mails and ads that consumers have to incur certain obligations (either financial or otherwise) in order to qualify for their chosen gift or promised “free” merchandise. The settlement also required that Adteractive provide a list of such obligations that the consumer is likely to incur. Finally, the settlement prohibits future CAN-SPAM violations and imposed a $650,000 penalty (which FTC Commissioner Jon Leibowitz found to be inadequate, an opinion he expressed in a published dissenting opinion to the order).
Ninth Circuit finds enough evidence to support link between stolen hard drives and ID theft
For the last several years, we have seen courts consistently (although with some exceptions) dismissing consumer data security breach claims where the consumers were not able to allege actual damages beyond the costs of credit monitoring and emotional distress. See Ponder v. Pfizer, Inc., No. 07-466 (M.D. La. Nov. 7, 2007); Pisciotta v. Old Nat’l Bancorp., 2007 WL2389770 (7th Cir. Aug. 23, 2007).
A recent reversal in one of these cases by the Ninth Circuit demonstrates the other side of the coin. In Stollenwerk v. Tri-West Health Care Alliance, the Ninth Circuit Court of Appeals, applying Arizona law, largely upheld the lower court’s "no harm, no foul" approach to assessing damages for a theft of personal information. However, for one of the three plaintiffs, the court reversed and remanded the claim plaintiff’s claim.
In Stollenwerk, three plaintiffs brought suit against Tri-West, a health claims processor for the federal government. Tri-West’s corporate offices were burglarized and computer equipment was stolen, including hard drives containing the plaintiffs’ personal data, i.e., names, addresses and social security numbers. The plaintiffs alleged, among other legal claims dismissed by the district court, that the theft of their personal data was caused by Tri-West’s negligent failure to secure their personal information.
Two of the plaintiffs did not allege that they had suffered any incidents of identity theft following the burglary, but sought to recover the cost of "enhanced" credit-monitoring services. However, the third plaintiff, Brandt, alleged that following the burglary, he experienced six incidents of identity theft, and he claimed damages with respect to those incidents.
The claims of all three plaintiffs were dismissed by the district court. The district court found that the two plaintiffs who did not suffer any actual incidents of identity theft had failed to show either that their personal data was actually "exposed" to the thieves, or that their risk of identity theft was significantly increased as a result of the theft of the computer hardware. Brandt’s claim was dismissed on the ground that he had shown insufficient causal connection between the burglary and the identity theft incidents that he suffered.
The Court of Appeals agreed with the lower court’s result as to the two plaintiffs who had not suffered actual incidents of identity theft, but disagreed with the result as to Brandt. The court reversed and remanded with respect to Brandt’s claim, finding that the showing as to the six incidents of identity theft following the burglary were sufficient for a jury to infer a causal connection to the burglary:
“The primary additional evidence of proximate causation Brandt produced was his testimony that (1) he gave Tri-West his personal information; (2) the identity fraud incidents began six weeks after the hard drives containing Tri-West’s customers’ personal information were stolen; and (3) he previously had not suffered any such incidents of identity theft. Of course, purely temporal connections are often insufficient to establish causation. See, e.g., Choe v. INS, 11 F.3d 925, 938 (9th Cir. 1993). Here, however, proximate cause is supported not only by the temporal, but also by the logical, relationship between the two events. *** As a matter of twenty-first century common knowledge, just as certain exposures can lead to certain diseases, the theft of a computer hard drive certainly can result in an attempt by a thief to access the contents for purposes of identity fraud, and such an attempt can succeed.”
An interesting impact of the court’s reversal of the third plaintiff’s claim is the potential impact it may have on the claims made by the other two plaintiffs (which were dismissed). If the court accepted the evidence that the third plaintiff’s ID theft was related to the stolen hard drives, then doesn’t it follow that the other two plaintiffs (whose personal information was stolen in the same theft) would also be at risk? And does this serve to undercut the court’s rationale that, for the first two plaintiffs, there was insufficient evidence that the thieves were interested in anything but the equipment itself?
For a more indepth article about this case, see Jeff Neuburger’s Technology Law Update blog post "Ninth Circuit Upholds (Mostly) Dismissal of Data Breach Damages Case"
Do consumers care about privacy, or just not being surprised?
Seth Godin’s blog (via Consumerist) argues that most consumers are okay with practices and technologies that might be considered more privacy-invasive, so long as they’re not surprised by the outcome. His prescription for keeping away from the dark side?
"Make promises, keep them, avoid surprises. That’s what most people (and the profitable people) want."
Privacy Update teleconference, Dec. 13
Privacy and Information Security Committee members are invited to join us on Dec. 13 at 1-2 pm EST for the December Privacy brown bag teleconference. This monthly call, hosted jointly with the Corporate Counseling Committee, provides a regular forum for discussing new privacy and data security happenings (like recent legislation, noteworthy enforcement activity, market news and general privacy items of interest). Click here for more information about the Committee’s programs and events.
Facebook’s Beacon potentially a violation of Video Privacy Protection Act?
From The Laboratorium (via Boing Boing), an interesting discussion of how Blockbuster’s participation in Facebook’s Beacon advertising program may be a violation of the Video Privacy Protection Act of 1988.
House approves permanent extension of Do-Not-Call list
If you were worried about your phone number being up for grabs by telemarketers after the looming five-year anniversary date of the Do-Not-Call list, the House of Representatives, er, has your number (pardon the pun). They just approved a permanent extension (HR 3541). In its original version, numbers added to the list were intended to age off after five years to allow for people who move and switch numbers. The Senate version (S 2096) is still waiting for a floor vote. Thanks to the CDT for the update.
The Secure Times 