The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

Sony Sued Over Playstation Network Breach

"Like clockwork," Sony has been sued over its Playstation network breach that affected over 75 million of its customers.  The class action suit was filed in the Northern District of California, and alleges that Sony did not use "reasonable care to protect, encrypt, and secure the private and sensitive data of its users."   The complaint also alleges that Sony did not timely inform its customers of the breach.

On April 26, Sony informed its Playstation Network and Qriocity customers that their personal information, including names, addresses, e-mail addresses, birthdays, PlayStation Network and Qriocity passwords, and user names, as well as online user handles, was obtained illegally by an "unauthorized person" between April 17-19.  Although Sony states that there is no evidence that credit card information was obtained, it has not ruled out that possibility.

In response to the breach, Sony has temporarily turned off PlayStation Network and Qriocity, its subscription music service, contracted with an outside security firm to investigate the intrusion on its network, and started to rebuild its system and security.

Sony’s breach has drawn the attention of lawmakers.  Sen. Richard Blumenstein (D-CT) sent a letter on April 26 to the CEO of Sony to express that he was "troubled by the failure of Sony to immediately notify affected customers of the breach and to extend adequate financial data security protections."  Rep. Mary Bono Mack (R-CA) has also announced that a result of the breach, she intends to introduce a data protection bill.  The breach has attracted international scrutiny as well, with both the Privacy Commissioner of Canada and the UK’s data protection authority announcing investigations of the breach.

Leave a comment

NYU Privacy Law Fellowship Accepting Applications

The Information Law Institute of NYU’s Engelberg Center on Innovation Law and Policy is accepting applications for a one-year fellowship in the area of privacy law, with a focus on issues related to location tracking.  The fellowship is open to law school graduates with excellent credentials and will begin in Fall 2011.  While in residence at NYU School of Law the fellow will be expected to play a leading role in researching and writing a white paper on the subject of location tracking and privacy, disseminating the results of the study, and organizing a conference or workshop on the topic.  The fellow will also be encouraged to pursue his or her own privacy-related research agenda during the fellowship year. The location tracking project will be supervised by Helen Nissenbaum (Professor of Media, Culture, and Communication), Katherine Strandburg (Professor of Law), and Ira Rubinstein (ILI Senior Fellow).  The fellow will have the opportunity to participate in Information Law Institute activities, including the multidisciplinary Privacy Research Group, to interact with other faculty associated with the ILI, and to take part in many other activities at NYU School of Law. 
The ILI fellow will receive a stipend of $50,000, along with benefits.  Applications for the fellowship should be sent by email to ILI assistant Nicole Arzt,, and should include:  a cover letter, curriculum vitae, copies of any publications, and the names and contact information of three references.  The fellowship is made possible by a generous grant from Microsoft Corporation.

Leave a comment

Supreme Court Hears Oral Arguments in Data Mining Case

Today, the Supreme Court heard oral arguments in Sorrel v. IMS.  At issue was a Vermont law that banned the selling and buying of prescription information without a doctor’s consent. The law also requires that doctors fill out a form as part of their license renewal application that indicates whether they agree to have their prescription information sold for marketing purposes.  The Second Circuit previously held this law was an impermissible restriction upon commercial speech, and therefore unconstitutional.

At oral arguments, it was clear that the Justices viewed this case as one concerning commercial speech.  In response to Vermont’s arguments, Justice Kennedy stated Vermont was “regulating speech,” and Justices Kennedy, Scalia, and Chief Justice Roberts all suggested that Vermont was attempting to limit drug companies’ speech only because the speech was effective in selling their products.  Although privacy observers have suggested that the ruling will have a large impact on both data mining companies and consumers, only at the end of arguments did at least some of the Justices appear open to allowing states some ability to regulate data-mining that threatened privacy. 

The Court is expected to issue a decision before recessing for the summer.  The transcript of today’s arguments is available here

Leave a comment

Rep. Stearns Introduces New Privacy Bill

Rep. Cliff Stearns, (R-FL), introduced yesterday a new privacy bill, H.R.1528, “To protect and enhance consumer privacy, and for other purposes.” Rep. Stearns had worked on a draft privacy bill with Rep. Rick Boucher (D-VA) during the last Congress. Rep. Boucher was defeated during the last election.

Rep. Stearns said: “Using my privacy legislation from the 109th Congress as a base, I took the comments submitted to Chairman Boucher and worked with stakeholders on developing this bill.  The introduction of this bill is not the end of the process.  I will continue to work to improve the language to ensure that regulatory distinctions are not being made on like services and that privacy is administered by a single agency, across the entire Internet economy.”

Violation of any provision of the Act would be an unfair or deceptive act or practice unlawful under 16 section 5(a)(1) of the Federal Trade Commission Act. The Act would not provide any private right of action, and would preempt state laws.

The bill would apply to an entity, its agents, or affiliates that “collects, sells, discloses for consideration, or uses personally identifiable information of more than 5,000 consumers during any consecutive 12-month period.” This definition includes non-profit organizations, but does not include governmental agencies, provider of professional services, and data processing outsourcing entities, Section 3(4).

Regulating the “cloud”

Data processing outsourcing entities would be have to be “contractually obligated to comply  with security controls specified by [covered entities] and [would have] no right to use the covered entity’s personally identifiable information other than for performing data processing outsourcing services for the covered entity or as required by contract or law,” Section 3(5).

Notice to consumers before using personally identifiable information for a purpose unrelated to the transaction

Covered entities would have to notify consumers before using any personally identifiable information they collected for a purpose unrelated to a transaction, Section 4(a)(1).

Notice to consumers of any material change in their privacy policy

Covered entities would have to provide notice to consumers after making a material change to their privacy policies, Section 4(a)(2).

Establishing a written and clear privacy policy, and a security policy

Covered entities would have to establish a privacy policy with respect to the collection, sale, disclosure, dissemination, use, and security of the personally identifiable information of consumers, Section 5(a), using written “brief, concise, clear, and conspicuous (… ) plain language,” Section 5(b)(1). The privacy policy would inform consumers about the “types of information that may be collected or used, how  the information may be used, and whether the consumer is required to provide the information in order to do business with the covered entity,” Section 5(b)(3). 

The policy would also inform consumers about the extent to which their information is “subject to sale or disclosure for consideration to a covered entity that is not an information sharing affiliate of the covered entity,” Section (b)(3)(E), and whether the information security practices of the covered entity meet “security requirements necessary to prevent unauthorized disclosure or release of personally identifiable information,” Section (b)(3)(F).

Indeed, covered entities would have to implement an “information security policy applicable to the information security practices and treatment of personally identifiable information maintained by the covered entity, that is designed to prevent the unauthorized disclosure or release of such information,” Section 8.

Providing consumers the opportunity to preclude the sale or disclosure of their information to any organization that is not an information-sharing partner

Covered entities would have to provide consumers, at no charge, the “opportunity to preclude any sale or disclosure for consideration of the consumer’s personally identifiable information, provided in a particular data collection, that may be used for a purpose other than a transaction with consumer, to any covered entity that is not an information-sharing affiliate of the covered entity providing such opportunity,” Section 6(a)(1). This preclusion would remain in effect during 5 years, or until the consumer indicates otherwise, whichever occurs sooner, Section 6(a)(2). Covered entities could provide the consumer an opportunity to allow the sale or disclosure “in exchange for a benefit to the consumer, “Section (6)(b).

Self-regulatory programs approved by the FTC

The Federal Trade Commission (“FTC”) would presume that a covered entity complies with the provisions of the Act if it participates in a self-regulatory program, Section 9(a), which would have to be approved by the FTC, Section 9(b). Denial of approval of a self-regulatory program would be subject to judicial review, Section 9(b)(5).

Self-Regulatory consumer dispute resolution process

If a consumer has a dispute with a participant in a self-regulatory program, and if this dispute pertains to the entity’s privacy policy or practices required for participation in the self-regulatory program, the consumer would have to initially seek resolution through a dispute resolution process, Section 9(d).

Leave a comment

Senators Kerry and McCain Introduce the Privacy Bill of Rights Act of 2011

Sen. John Kerry (D-Mass.) and Sen. John McCain (R-Ariz.) introduced today a bi-partisan privacy bill, the Privacy Bill of Rights Act of 2011, a bill “[t]o establish a regulatory framework for the comprehensive protection of personal data for individuals under the aegis of the Federal Trade Commission, and for other purposes.”

The Act would apply to covered entities, that is, “any person who collects, uses, transfers, or stores covered information concerning more than 5,000 individuals during any consecutive 12-month period,” and is a person a person over which the FTC has authority pursuant to section 5(a)(2) of the Federal Trade Commission Act , a common carrier, or is a non-profit organization (p.29-30).

The Act would be enforced by the FTC and by State Attorney Generals (p.30-31). However, no simultaneous enforcement by a State Attorney General and the FTC would be allowed. The Act would also prevent private rights of action (p.37).

The FTC would establish rules to be followed by nongovernmental organizations administrating safe harbor programs. Participation in these programs would be voluntary, not mandatory (p. 37-41).

The right of security and accountability

Not later than 180 days after the enactment of the Act, the FTC would initiate a rulemaking proceeding requiring covered entities to implement security measures protecting the coverd personal data information they collect and maintain. These security measures would be proportional to the size, type, and nature of the collected information (p.15). Covered entities would have a duty “to respond to non-frivolous inquiries from individuals regarding the collection, use, transfer, or storage of [their] covered information.”

Covered entities will “in a manner proportional to the size, type, and nature of the covered information that it collects, implement a comprehensive information privacy program.” Such a program would be a “privacy by design program,” which would “incorporate necessary development processes and practices throughout the product life cycle that are designed to safeguard (… ) [individuals’] personally identifiable information based on both individuals’ reasonable privacy expectations in their data  and relevant threats against data privacy (p.17).

The right to notice, consent, access, and correct information

Not later than 60 days after the enactment of the Act, the FTC would initiate a rulemaking proceeding requiring covered entities “to provide clear, concise, and timely notice to individuals” regarding data collection, use, transfer, and storage of covered information, and also regarding the specific purposes of those practices.  Covered entities would have “to provide clear, concise, and timely notice to individuals before implementing a material change in such practice (p.18).

The FTC rulemaking proceeding would also require covered entities:

“to offer individuals a clear and conspicuous mechanism for opt-out consent for any use of their covered information(…);  to offer individuals a robust, clear, and conspicuous mechanism for opt-out consent for the use by third parties of the individuals’ covered information for behavioral advertising or marketing;  to offer individuals a clear and conspicuous mechanism for opt-in consent for (… ) the collection, use, or transfer of sensitive personally identifiable information other than (i)to process or enforce a transaction or deliver a service requested by that individual; (ii) for fraud prevention and detection; or (iii) to provide for a secure physical or virtual environment ( … )”

In case of bankruptcy or if an individual requests termination of a service, a individual would have the right to request that all of his personally identifiable information maintained by covered entity, except for some publicly shared information or information that the individual authorized the sharing of, “be rendered not personally identifiable,” or, if this is not possible, the covered entity will have to stop the use or transferring such information to a third party (p.18-20).

The right to data minimization, constraints on distribution, and data integrity

Covered entities would be authorized to collect “only as much covered information relating to an individual as is reasonably necessary “during a transaction or when delivering a service requested by the individual. However, covered entities could keep such data “for research and development conducted for the improvement of carrying out a transaction or delivering a service” and for “internal operations” such as customer satisfaction surveys (p. 24-25).

Covered entities will have to require by contract that any third party to which they transfer covered information use the information only for purposes consistent with the provisions of the Act, and as specified in the contract (p. 25), unless the covered entity obtains individuals’ consents to such transfers. Data transfers to unreliable third parties would be prohibited (p.27).

Data integrity would be achieved by covered entities by establishing and maintaining “reasonable procedures to ensure that (… ) covered information (… ) is accurate in those instances where the covered information could be used to deny consumers benefits or cause significant harm” (p. 28).

More information here.

Leave a comment

2011 Chair’s Showcase Explores how Antitrust Might Address Privacy in Web 3.0

Should modern antitrust analysis address data privacy?  This was the intriguing proposition discussed by two different panels at the Chair’s Showcase during the ABA Antitrust Section’s Spring Meeting last week.  Although traditionally viewed as a consumer protection issue, privacy is becoming an important dimension of competition for companies that operate in the information economy.

Continue reading

Leave a comment

Marketing Firm Experiences Data Breach

Late last week, on March 31, 2011, the marketing firm Epsilon notified its customers that it had experienced a large-scale data breach affecting consumer information. According to Epsilon, the data breach was “limited to email addresses and/or customer names only,” and “no other personal identifiable information associated with those names was at risk.” The breach affects email addresses provided by a wide-array of clients, including many major financial institutions–such as JPMorgan Chase, Capital One, and Citibank–and numerous retailers–such as Target, Walgreens, Brookstone, and the Home Shopping Network. Epsilon sends more than 40 billion permission-based emails a year and manages consumer databases from 2,500 clients.

Security experts have expressed worries that, while the information harvested from Epsilon may seem like a minor threat, hackers can use email addresses and other compromised information to disseminate targeted phishing campaigns designed to trick consumers into revealing more sensitive personal information. The U.S. Secret Service has begun investigating Epsilon’s data breach.

Leave a comment

59th Antitrust Law Spring Meeting: National Privacy Policies as Barriers to Entry in International Competition

As the last day of the ABA Antitrust Law’s Spring Meeting wraps up, this morning’s panel, "National Privacy Policies as Barriers to Entry in International Competition" discussed differences in international law and approaches to privacy internationally.

Panelists include Ronald D. Lee, Arnold & Porter LLP, Kim Alexander-Cook, nNovation LLP, Sarretta McDonough, Gibson Dunn & Crutcher LLP, and Hugh Stevenson, Deputy Director for International Consumer Affairs, Federal Trade Commission.  Aryeh Friedman, Pfizer Inc., was the session chair.

Continue reading