The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

European Data Protection Supervisor: Security and Privacy Concerns Must be Taken Equally Seriously

The European Data Protection Supervisor (EDPS), which is an independent supervisory authority committed to protecting personal data and privacy, issued an opinion (the “Opinion”) on December 17, 2010, on the European Union Commission’s communication on the EU’s Internal Security Strategy.

The EU Internal Security Strategy (“ISS”), which had been adopted on February 23, 2010, aims to target organized crime, terrorism and cybercrime. It lays out a European security model to answer to these threats while respecting fundamental EU values, such as fundamental rights.

The EU Commission then adopted on November 22, 2010, a communication on the ISS entitled "EU Internal Security Strategy in Action: Five steps towards a more secure Europe" which was sent to the EDPS for consultation. The Commission proposed five strategic objectives, which all have links with privacy and data protection:

          disrupting international crime networks,

          preventing terrorism and addressing radicalization and recruitment,

          raising levels of security for citizens and businesses in cyberspace,

          strengthening security through border management, and

          increasing Europe’s resilience to crisis and disasters.

The Opinion looks at these objectives from the perspective of privacy and data protection, and specifies a number of data protection notions and concepts which should be taken into consideration when designing, developing and implementing the ISS in the EU.

The Commission’s communication stipulates that “[w]here efficient law enforcement in the EU is facilitated through information exchange, we must also protect the privacy of individuals and their fundamental right to protection of personal data.” The EDPS welcomes this statement, but regrets that the communication does not elaborate on data protection, nor does it explain how privacy and personal data could be protected (p.6).

The EDPS writes further that the ISS “should have as one of its objectives a broadly understood protection which would ensure the right balance between on the one hand the protection of citizens against the existing threats and, on the other hand, the protection of their privacy and the right to the protection of personal data. In other words, security and privacy concerns must be equally taken serious in the development of the ISS“(p.6) (our emphasis).

Some of the actions which derive from the ISS objective are likely to increase the risks for individuals’ privacy and data protection, and these risks must be counterbalanced. The EDPS points out three concepts which should all be taken into account when implementing the ISS:

          Privacy by Design

o   This concept is currently developed in both the private and the public sector. The EDPS believes that “built-in” privacy must play an important role in EU internal security (p.7).

          Privacy and Data Protection Impact Assessment (PIA)

o   The EDPS recommends that PIAs be conducted, either as a separate assessment or as part of the general fundamental right’s impact assessment carried out by the Commission, and it should recommend specific and concrete safeguards (p.8)

          Data Subject Rights and Best Available Techniques (BATs)

o   The Commission’s communication does not specifically address the issue of data subjects’ rights. However, all the persons subject to the all the different EU internal security systems and instruments must have the same rights relating to how their personal data are processed, and thus the EDPS invites the Commission to look more carefully into this issue.

o   The EDPS notes that “[p]articular attention should be paid to redress mechanisms. The ISS should guarantee that whenever individuals’ rights have not been fully respected, data controllers should provide for complaints procedures which are easily accessible, effective and affordable” (p.8).

o   BATs can be used to achieve the correct balance between realizing the ISS objectives and respecting individuals’rights. Reference documents on BATs should be elaborated in order to promote harmonization of these measures throughout the different Member States. The European Network and Information Security Agency (ENISA) can play a role in the elaboration of these guidelines (p. 9).


Leave a comment

Having One’s Personal Information Stolen, but not Misused, is Sufficient to Confer Article III Standing

The United States Court of Appeals for the Ninth Circuit held that that an increased risk of identity theft is sufficient to confer Article III standing, even though no data has been misused, nor any financial loss has been incurred.  However, in a separate Memorandum, the 9th Circuit held that plaintiffs-appellants did not adequately allege the elements of their state-law claims.

Plaintiffs were employees of Starbucks Corporation (Starbucks), who were among the 97, 000 Starbuck’s employees whose unencrypted names, addresses, and social security numbers were stored on a laptop stolen from Starbucks. Starbucks sent all affected employees a letter stating that the company had “no indication that the private information has been misused” and offered them a year of free credit watch services. Plaintiffs enrolled in the free credit watch services, and also spent time personally monitoring their accounts for fraud. However, they have not suffered any financial losses.

Plaintiffs filed two class actions suits against Starbucks, claiming that Starbucks, by failing to protect plaintiffs’ personal data, had acted negligently and had breached an implied contract under Washington law.  The United States District Court for the Western District of Washington granted Starbuck’s motion to dismiss, holding that Plaintiffs indeed have standing under Article III of the Constitution, which limits federal-court jurisdiction to “cases” and “controversies,” but had failed to allege a cognizable injury under Washington law. Plaintiffs appealed, and the Ninth Circuit affirmed the District Court’s dismissal, finding that they had indeed suffered an injury sufficient to confer them standing.

Under the case or controversy requirement of Article III, Section 2 of the Constitution, a plaintiff must have suffered an ‘injury in fact’ in order to have standing. This ‘injury in fact’ must be (1) concrete and particularized and actual or imminent. It must be (2) fairly traceable to the defendant’s action, and it must be (3) likely that the injury will be redressed by a favorable decision. It was undisputed before the District Court that Plaintiffs had sufficiently alleged causation (2) and redressability (3).

Did plaintiffs suffer an injury-in-fact? One of the plaintiffs had suffered “generalized anxiety and stress,” and the Ninth Circuit found it sufficient to confer standing. The other plaintiffs were concerned about their increased risk of future identity theft. No theft had occurred, even though someone had attempted to open a bank account in the name of one of the plaintiffs. The account was closed by the bank before any loss could occur. Does it constitute an injury-in-fact? The Ninth Circuit quoted Pisciotta v. Old National Bancorp, 499 F.3d 629, 634 (7th Cir.2007). In this case, plaintiffs had stated that they had incurred expenses in order to prevent their confidential personal information to be used, and would have to continue to incur these expenses in the future, yet had not alleged any direct financial loss to their accounts as a result of a security breach. For the Seventh Circuit “the injury in- fact requirement can be satisfied by a threat of future harm or by an act which harms the plaintiff only by increasing the risk of future harm that the plaintiff would have otherwise faced, absent the defendant’s actions.” However, the Seventh Circuit ruled in that case that “Indiana law would not recognize the costs of credit monitoring that the plaintiffs seek to recover in this case as compensable damages.”

The 9th Circuit also quoted Lambert v. Hartman, 517 F.3d 433, 437 (6th Cir. 2008). In Lambert, the plaintiff had alleged that her identity was stolen after her personal information had been published on the Clerk’s website of an Ohio court. Her financial security and credit rating suffered as a result, and she also had claimed that because of the nature of the identity theft, she had been exposed to the risk that people had accessed her personal information on the Internet and would be able to use that information to commit future acts of identity theft against her. The Sixth Circuit held that “[a]lthough this latter injury is somewhat “hypothetical” and “conjectural,” her actual financial injuries are sufficient to meet the injury-in-fact requirement.”

In the Starbucks case, the 9th Circuit held that plaintiff had alleged “a credible threat of real and immediate harm stemming from the theft of a laptop containing their unencrypted personal data. Were Plaintiffs-Appellants’ allegations more conjectural or hypothetical—for example, if no laptop had been stolen, and Plaintiffs had sued based on the risk that it would be stolen at some point in the future—we would find the threat far less credible.

So if the risk of future identity theft is “conjectural” or “hypothetical, “there would be no injury-in-fact. The threshold seems however to be low. The mere fact that personal data is stored, unencrypted, on a laptop, which is somewhat easier to steal than a bigger computer, does not mean that plaintiffs would meet the injury-in-fact requirement for standing. But if the laptop is stolen, and if it contains unencrypted personal data, the threat is sufficiently credible.

However, as, under Washington law, an actual loss or damage is an essential element for a cause of action in a negligence suit, and “[t]he mere danger of future harm, unaccompanied by present damage, will not support a negligence action,” the 9th Circuit affirmed the dismissal of plaintiffs’ negligence claim.


Leave a comment

U.S. Department of Commerce Publishes “Green Paper” on Privacy

The U.S. Department of Commerce Internet Policy Task Force published on December 16, 2010 its “Green Paper” on privacy. Entitled “Commercial Data Privacy and Innovation in the Internet Economy: a Dynamic Policy Framework” (the “Framework”), it recommends considering a new framework for addressing online privacy issues in the United States. While the Framework does not express a commitment to specific policy proposals, it identifies and discusses areas of policy and possible approaches.

Gary Locke, Secretary of Commerce wrote in the foreword to the Framework that “protect[ing] the tremendous economic and social value of the Internet without stifling innovation requires a fresh look at Internet policy.” Indeed, the Framework notes that the world has much changed in the last 15 years, as new devices such as personal computers and mobile phones have transformed both the economy and people’s social life. Ninety-six % of working Americans use the Internet as part of their daily life, and sixty-two % of Americans use the Internet as an integral part of their jobs (p.14). Uses of personal data have multiplied, but privacy laws have not kept up with these changes.  

Online retail sales accounted for over $140 billion in retail sales for U.S. companies in 2009 (p.14). But consumers are concerned about their privacy, and thus companies not protecting the privacy of their customers may very well lose them. Consumer expectations that the personal data collected by companies ”will be used consistently with clearly stated purposes and protected from misuses is fundamental to commercial activities on the Internet” (p.15).

The Framework includes policy recommendations under four broad categories:

1. Enhance Consumer Trust Online Through Recognition of Revitalized Fair Information Practice Principles (FIPPs)

The Framework notes that, “from the consumer perspective, the current system of notice-and-choice does not appear to provide adequately transparent descriptions of personal data use which may leave consumers with doubts (or even misunderstandings) about how companies handle personal data and inhibit their exercise of informed choices” (p.22). Under a Notice-and-Choice model, “consumers ‘privacy rights depend on their ability to understand and act on each individual privacy policy” (p. 31), which may prove an overwhelming task.

The first recommendation of the Framework is to recognize a full set of Fair Information Practice Principles (FIPPS) as a foundation for commercial data privacy. A FIPPS-based framework would promote transparency and clarity and would also “protect the privacy of personal information in commercial contexts not covered by an existing sectoral law.” Such framework would serve as a “the basis for recognizing expanding interoperability between U.S. and international commercial data privacy frameworks” (p. 22). It would also foster compatibility in privacy protection across industry sectors (p.24).They would do so by filling gaps in current data privacy protections. The Department of Commerce would not develop comprehensive and prescriptive rules (p.32).

Such framework would leave in place existing sectoral laws. Recommendation #8 of the Framework states that “A baseline commercial data privacy framework should not conflict with the strong sectoral laws and policies that already provide important protections to Americans, but rather should act in concert with these protections”(p. 58).

2. Encourage the development of voluntary, enforceable privacy codes of conduct in specific industries through the collaborative efforts of multi-stakeholder groups, the Federal Trade Commission, and a Privacy Policy Office within the Department of Commerce

As the mere development of FIPPSs is probably not enough to provide sufficient privacy protection, the Framework also recommends creating voluntary codes of conduct that would promote informed consent and safeguard personal information.

 

The government can also play a role by coordinating and encouraging the stakeholders. For doing so, the Framework recommends establishing a Privacy Policy Office (PPO) in the Department of Commerce, which would be both a convener of diverse stakeholders and a center of the Administration’s  commercial data privacy policy expertise (p.45). A flow chart on the”Creation and Operations of Proposed Privacy Policy Office” is available on p. 48 of the Framework.

 

It would focus exclusively on commercial data privacy. The PPO would work with the FTC to develop voluntary but enforceable codes of conduct, as, in some contexts, FIPPS might not be sufficiently protective (p. 41).Companies would voluntarily adopt such codes of conduct, but this commitment would be enforceable by the FTC. There would be a safe harbor for companies that commit and adhere to “an appropriate voluntary code of conduct” (p.43).

 

3. Encourage Global Interoperability

 

The lack of cross-border interoperability in privacy principles and regulation creates barriers to cross-border data flow, and companies have to bear a significant compliance cost. If global interoperability of data privacy approaches would be improved, it would have a positive effect on U.S. services exportations and thus would benefit the U.S. economy (p.14).

 

The Framework notes that disparate privacy laws have a growing impact on global competition, and “disparate approaches to commercial data privacy can create barriers to both trade and commerce, harming both consumers and companies” (p. 53). Because of the differences both in form and in substance between the U.S. and other privacy laws, it is increasingly complicated for companies to provide good and services in global markets. Since the European Union and others countries trading with the U.S. have adopted omnibus privacy laws, companies must thus demonstrate that their privacy practices adequately comply with the U.S. The U.S. must renew its commitment to leadership in the global privacy policy debate by developing an online privacy framework “that enhances trust and encourages innovation.”

 

In order to do so, and also to generally decrease regulatory barriers to trade and commerce, the U.S. Government should work with its allies and trading partners “to promote low-friction, cross-border data flow through increased global interoperability of privacy frameworks” (p.7). Privacy laws around the world have substantive differences, yet these laws “are frequently based on the same fundamental values” (p.7). The U.S. should work with its allies to find practical means of bridging differences. The U.S. should also continue to support the APEC Data Privacy Pathfinder Project initiated in 2007 by the Asia Pacific Economic Cooperation. It is a set of collaborative projects taken on by APEC member-economies to develop and test the essential practical elements of a system that would enable accountable cross-border data flows under the guidance of APEC data privacy principles, and its endorsement should be secured during the 2011 APEC year, which will be hosted by the U.S.

 

4. Ensure Nationally Consistent Security Breach Notification Rules

The Framework recommends that a federal commercial data security breach notification be enacted. This federal law would set national standards, and addresses how to reconcile inconsistent State laws, as the difference between the different State laws comes with an undue cost to U.S. businesses, as they “must comply with several dozen variations on the same theme” (p. 57). This federal law would not, however, preempt other federal security breach notification laws. Both the FTC and State authorities would have authority to enforce the law.


Leave a comment

Court of Appeals Determines E-Mail Deserves Fourth Amendment Privacy Protection

On December 14, 2010, the Court of Appeals for the Sixth Circuit determined that the Department of Justice should have obtained a search warrant before seizing and searching e-mails from a service provider, holding that e-mails are analogous to letters or telephone calls and deserve Fourth Amendment protection.

In U.S. v. Warshak, the Department of Justice issued a subpoena ordering the defendant’s e-mail provider (NuVox) to prospectively preserve copies of Warshak’s future e-mails. Subsequently, the government obtained Warshak’s stored e-mails from NuVox, basing its actions on the Stored Communications Act, which the government argued allows it to obtain e-mails already in storage with an e-mail provider without a search warrant in many situations (e.g., the law affords different levels of privacy protection to e-mails depending on where they are stored and how long they have been in storage). Despite the provisions in the Stored Communications Act, the Sixth Circuit determined that e-mails, like letters or telephone calls, deserve Fourth Amendment protection. Accordingly, the Department of Justice should have obtained a search warrant based on probable cause before seizing Warshak’s e-mails from his service provider.

The Sixth Circuit’s decision in U.S. v. Warshak is available here.


Leave a comment

Connecticut Attorney General Initiates Investigation of Google’s Street View

On December 10, 2010, Connecticut Attorney General Richard Blumenthal announced that his office is investigating whether Google violated state law by collecting data from unsecured wireless networks through it Street View cars. The Civil Investigative Demand, issued on December 10, 2010, requires Google to provide information regarding the type of data that was collected. Last May, Google acknowledged that it had inadvertently collected data from unprotected wireless networks in 30 countries. According to the Connecticut Attorney General’s press release, “Google initially claimed that the data was fragmented, but has since acknowledged that entire e-mails and other information may have been improperly captured.” In light of this disclosure, Connecticut initiated its investigation to verify the kind of data gathered and determine if it contains e-mails, passwords, web-browsing activity, and other private information. The Federal Trade Commission (“FTC”) previously investigated Google’s Street View incident and issued a letter closing the investigation in October 2010. More information about the FTC’s investigation is available here.


Leave a comment

Register for the ABA Consumer Protection Conference

We wanted to let our readers know about the upcoming one-day ABA Consumer Protection Conference on February 3, 2011 in Washington, DC.

Given your interest in privacy law, we think you will find the conference to be extremely valuable and time well spent.  Our speakers this year include:

  • FTC Commissioners Julie Brill, Edith Ramirez, and J. Thomas Rosch

  • Canada Privacy Commissioner Jennifer Stoddart

  • Tony West, Assistant Attorney General, DOJ

  • David Vladeck, Director, Bureau of Consumer Protection, FTC

  • Joel Winston, Associate Director, Division of Financial Practices, FTC

  • Sarah Mathias, Associate General Counsel, FTC

And we have representatives from the California and Texas Attorneys General Offices, the National Advertising Division, the Center for Democracy & Technology, Electronic Frontier Foundation, the American Bankers Association, among others. 

The speakers will address what to expect in 2011 in consumer protection enforcement; new advertising substantiation rules; new and evolving privacy law; the expanding scope of third party liability in the CP realm; ethical considerations relating to social media in investigations and litigation; and new strategies in private advertising litigation challenges.  We’ll also have a welcome reception the evening before that will provide an excellent opportunity to meet the speakers and other attendees in an informal setting. 

In short, the conference will be a great networking opportunity, as well as a way to stay on top of the ever-evolving rules in consumer protection, advertising, privacy, and data security law.

The full program brochure and registration information are available on the ABA’s website here.  The signficant discount for early bird registration ends in early January, and seats are filling up fast, so we urge you to register soon if you plan on attending.


Leave a comment

FTC Seeks Comments on Caller ID Provisions of Telemarketing Sales Rule

On December 7, the FTC announced that it was seeking comments on ways to strengthen the Telemarketing Sales Rule’s requirements related to the use of Caller ID.  Currently, the Rule allows consumers to screen out unwanted telemarketing calls by requiring telemarketers to provide Caller ID information.  The FTC is seeking comments on how to address technologies that hide callers’ identities.  Comments are due by Jan. 28, 2011.

Continue reading