The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC issues consent orders in TJX, Lexis-Nexis cases

Retailer TJX and data brokers Reed Elsevier/Seisint have both agreed to consent orders with the FTC for their individual data breach cases. While no fines were levied in either case, both companies are required to build and audit comprehensive data security programs.

Leave a comment

Hannaford’s malware update

In a letter to Massachusetts regulators, Hannaford identified malware installed on servers at each of their stores as the culprit in their massive data breach (CNET reports). The malware intercepted credit card information at the point of sale (a first in security breach annals, where most have resulted from hacks into databases) and sent it to fraudsters overseas.

Leave a comment

Canadian University Faculty Decline to Use Google In Fear of Patriot Act

This Canadian news story relates objections by faculty at a Canadian university to the use of Google services, because of fear of surveillance by the U.S. government, under the Patriot Act.

Leave a comment

Anonymous Blogging Banned by Cisco

As related on the Patently-O blog, Cisco is being sued for comments made anonymously on a blog by a Cisco employee who was criticizing "patent trolls." Not just any Cisco employee, it was their IP Director. Cisco has now decided to prohibit anonymous blogging by employees on issues related to their employment.


Leave a comment

CDT issues compendium of “sensitive data” categories for BT

Just in time to hash over at the privacy or consumer protection conference of your choice, the CDT has issued a document outlining what it suggests a compendium of proposed approaches for determining what should be classified as "sensitive data" for the FTC’s proposed self-regulatory guidelines for behavioral targeting.

The document gathers together relevant definitions and their contexts from an array of privacy-related laws, guidelines and policy proposals, including HIPAA, COPPA and the EU directive. The CDT’s own proposal to the FTC town hall meeting last year comes first, with it’s controversial definition of PII (including both IP address and profiling data unconnected to any additional identifiers).

Leave a comment

Hannaford Hit With 4 Class Actions in Days Following Breach Announcement

Since the supermarket chain’s public announcement last week that its network was breached compromising the security of 4.2M payment cards, Hannaford Bros. Co. has been sued in four different consumer class action law suits.  The suits allege negligence, breach of implied contract to safeguard customer payment card information, and violation of state unfair trade practices laws.  The suits also allege that Hannaford failed to notify customers of the breach in a timely fashion. 

Leave a comment

Medical Identity Theft Is Nothing To Sneeze At

According to the World Privacy Forum, medical identity theft is on the rise, and the problem will only get worse before it gets better.  This article from msnbc illustrates the issue and how it can impact individuals in a worse way than financial identity theft.

Leave a comment

Proposed SEC Rule Would Impose Breach Response Obligations on Brokers, Dealers, Etc.

A new rule proposed by the SEC on March 4th would impose breach response obligations on brokers, dealers, registered investment advisors and investment companies. Under the rulemaking authority of the Gramm-Leach Bliley Act, the SEC’s proposed rule (an amendment to existing Regulation S-P) would set forth more detailed standards for information security programs, and would require these types of entities to notify the SEC as well as affected individuals when they suffer an information security compromise, under certain circumstances.  For more detailed information about the proposed rule, see the SEC’s press release.  Here is the text of the proposed rule

Leave a comment

What can my company learn from the FTC’s recent enforcement activity in the lead generation industry, and resulting $2.9M settlement?

If your company is in the lead generation business, or if your company retains lead generators to send consumer business its way, then there are several lessons to be learned from the FTC’s recent $2.9M settlement with ValueClick, Inc., Hi-Speed Media, Inc., and E-Babylon.
  • Make sure that advertisements comply with the FTC’s requirements for the use of the word “free.” In this action, the defendants used the word “free” to describe merchandise rewards when, in fact, consumers were required to pay for other products in order to be eligible for the free merchandise.
  • When e-mail is involved, the same deceptive marketing can lead to two separate causes of action, both under the Federal Trade Commission Act and the CAN-SPAM Act. These defendants used the word “free” improperly in the subject line of their e-mails, leading to the FTC’s allegation that they violated the CAN-SPAM Act’s rule against deceptive subject lines.
  • Don’t make promises about data security in your privacy policy, unless your data security practices are truly up to industry standards. These defendants promised to encrypt sensitive consumer data, and they did so. But the specific encryption technology they used did not meet the FTC’s standards.
  • Make sure your web site is not vulnerable to “SQL injection attacks,” which hackers can use to obtain access to sensitive information (such as payment card data) housed in databases that run behind the site. The FTC has repeatedly taken action against companies whose web sites are vulnerable to this type of attack, which are commonly known and can be easily averted.

Leave a comment

Do the SEC’s new rules about making proxy materials available online require my company to alter its website privacy practices and policies?

Potentially, Yes. The SEC’s new rules require that websites through which proxy materials are made available must be maintained in a manner that does not infringe on the anonymity of a person accessing the website.*

First, this means that the website cannot require a person to enter his personal information in order to access the proxy materials. Additionally, although the plain language of this rule alone could be read to allow the use of certain technologies that collect only non-personally identifying information, the SEC’s releases accompanying the new rules also restrict the use of cookies and other tracking features on websites on which proxy materials are posted. The rules also impose restrictions on the use and disclosure of e-mail addresses provided by a person for the purposes of delivering a copy of the proxy materials.**

So, what is the takeaway? Before your company makes proxy materials available through its website, a careful review of the new rules and the SEC’s accompanying releases should be conducted. The underlying technologies (such as cookies) used on the website may need to be revisited, and the privacy policy posted on the website may need to be revised accordingly.

* 17 CFR 240.14a-16(k)(1).
** 17 CFR 240.14a-16(k)(2).