Retailer TJX and data brokers Reed Elsevier/Seisint have both agreed to consent orders with the FTC for their individual data breach cases. While no fines were levied in either case, both companies are required to build and audit comprehensive data security programs.
In a letter to Massachusetts regulators, Hannaford identified malware installed on servers at each of their stores as the culprit in their massive data breach (CNET reports). The malware intercepted credit card information at the point of sale (a first in security breach annals, where most have resulted from hacks into databases) and sent it to fraudsters overseas.
Just in time to hash over at the privacy or consumer protection conference of your choice, the CDT has issued a document outlining what it suggests a compendium of proposed approaches for determining what should be classified as "sensitive data" for the FTC’s proposed self-regulatory guidelines for behavioral targeting.
The document gathers together relevant definitions and their contexts from an array of privacy-related laws, guidelines and policy proposals, including HIPAA, COPPA and the EU directive. The CDT’s own proposal to the FTC town hall meeting last year comes first, with it’s controversial definition of PII (including both IP address and profiling data unconnected to any additional identifiers).
Since the supermarket chain’s public announcement last week that its network was breached compromising the security of 4.2M payment cards, Hannaford Bros. Co. has been sued in four different consumer class action law suits. The suits allege negligence, breach of implied contract to safeguard customer payment card information, and violation of state unfair trade practices laws. The suits also allege that Hannaford failed to notify customers of the breach in a timely fashion.
According to the World Privacy Forum, medical identity theft is on the rise, and the problem will only get worse before it gets better. This article from msnbc illustrates the issue and how it can impact individuals in a worse way than financial identity theft.
A new rule proposed by the SEC on March 4th would impose breach response obligations on brokers, dealers, registered investment advisors and investment companies. Under the rulemaking authority of the Gramm-Leach Bliley Act, the SEC’s proposed rule (an amendment to existing Regulation S-P) would set forth more detailed standards for information security programs, and would require these types of entities to notify the SEC as well as affected individuals when they suffer an information security compromise, under certain circumstances. For more detailed information about the proposed rule, see the SEC’s press release. Here is the text of the proposed rule.
- Make sure that advertisements comply with the FTC’s requirements for the use of the word “free.” In this action, the defendants used the word “free” to describe merchandise rewards when, in fact, consumers were required to pay for other products in order to be eligible for the free merchandise.
- When e-mail is involved, the same deceptive marketing can lead to two separate causes of action, both under the Federal Trade Commission Act and the CAN-SPAM Act. These defendants used the word “free” improperly in the subject line of their e-mails, leading to the FTC’s allegation that they violated the CAN-SPAM Act’s rule against deceptive subject lines.
- Make sure your web site is not vulnerable to “SQL injection attacks,” which hackers can use to obtain access to sensitive information (such as payment card data) housed in databases that run behind the site. The FTC has repeatedly taken action against companies whose web sites are vulnerable to this type of attack, which are commonly known and can be easily averted.
Potentially, Yes. The SEC’s new rules require that websites through which proxy materials are made available must be maintained in a manner that does not infringe on the anonymity of a person accessing the website.*
* 17 CFR 240.14a-16(k)(1).
** 17 CFR 240.14a-16(k)(2).