The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

FTC Warns ICANN About Domain Name Expansion

The FTC recently sent a detailed 15 page letter to the Internet Corporation for Assigned Names and Numbers (ICANN) expressing concern that the organization’s plan to expand the domain name system could leave consumers open to online fraud and undermine law enforcers’ ability to track online scammers.  The House Energy and Commerce Committee has also expressed concern about ICANN’s expansion plan.

ICANN has overseen the allocation of Internet domain names since 1998.  The organization intends to expand generic top-level domain names (gTLDs) – currently ".com", ".net", and ".org" – to include many new domain names, such as the name of a company or a business category e.g. ".restaurant."  According to the FTC letter, gTLD expansion could create a "dramatically increased opportunity for consumer fraud." In particular, the letter outlines a concern that "the proliferation of existing scams, such as phishing, is likely to become a serious challenge given the infinite opportunities that scam artists will now have at their fingertips.  Fraudsters will be able to register misspellings of businesses, including financial institutions, in each of the new gTLDs, create copycat websites, and obtain sensitive consumer data with relative ease before shutting down the site and launching a new one."  The FTC letter urges ICANN to take additional steps before rolling out new domain names, and suggests that a pilot program be implemented by ICANN before proceeding with a full expansion.

The FTC received support from the 400 member Association of National Advertisers which hoped that the letter would help "convince ICANN that it must stop [the] initiative and build true consensus with the many constituencies that depend upon a responsibly managed Internet domain naming process."

The House Energy and Commerce Committee has also expressed opposition to ICANN’s expansion plan.  The House Subcommittee on Communications and Technology held a recent hearing to examine the issue, and the full Committee followed up with a bipartisan letter describing domain name expansion as a "worthy goal", while expressing concern "that there is significant uncertainty in this process for business, non-profit organizations, and consumers."  The letter urges ICANN to delay its plan, which is set to go live on January 12, 2012.

Leave a comment

Most Claims Dismissed Against Heartland Payment Systems in Data Breach Litigation

Recently, a federal district court judge dismissed the majority of claims brought by financial institutions against Heartland Payment Systems ("HPS") as a result of its 2009 data breach.  The plaintiffs alleged that hackers obtained payment card numbers and expiration dates for approximately 130 million accounts as a result of the breach.  The plaintiffs were financial institutions that did not participate in the Visa or MasterCard settlements. 

U.S. District Judge Lee Rosenthal dismissed all claims except for the plaintiffs’ claim under the Florida Deceptive and Unfair Trade Practices Act.  HPS argued that the Act only applied to consumers, but Judge Rosenthal disagreed, noting that the Act was amended in 2001 to state “person” instead of “consumer."

Continue reading

Leave a comment

EU Data Protection Reforms Outlined

The EU Commissioner responsible for data protection recently outlined the growing contours of EU data protection reform legislation expected to issue early next year.  In a November 28 speech to the American Chamber of Commerce, Viviane Reding, Vice President of the EC Commission, and EU Justice Commissioner, spoke of her determination to deliver "a strong, consistent and future-proof framework for data protection, with consistent rules across all Member States and across all Union policies."

Commissioner Reding began her speech by outlining the challenges currently facing businesses operating under the EU’s 1995 data protection legislation.  First, EU data protection laws are fragmented between 27 EU member states, leading to varying legal interpretations and enforcement regimes.  Reding estimated that this fragmentation costs businesses €2.3 billion a year.  Second, fragmentation is inconsistent with the EU’s goal to unify its 27 member states in a single market by "making it difficult to sell or shop cross-border." Third, according to EU survey data, existing data protection rules do not have the confidence of consumers, thus inhibiting the adoption of new technologies such as cloud computing.

According to Commissioner Reding, the need for data protection has grown exponentially since 1995 "when the full potential of the Internet had not yet been realized.  In 1993 the Internet carried only 1% of all telecommunicated information.  By 2007, the figure was more than 97%."

Commissioner Reding went on to detail some specific regulatory reforms impacting businesses including: increased coordination between member state data protection authorities (DPAs); eliminating the requirement to notify data processing to DPAs; a single point of contact for companies dealing with multiple EU DPAs; and mutual recognition by DPAs of binding corporate rules approved by another DPA.  The Commissioner also outlined the individual data protection safeguards in the reform proposal, such as timely notification of data protection breaches to consumers.

Reding included in her remarks her position on the role of industry self-regulation.  According to the Commissioner, self-regulation "has an important, complementary role to play in this reform.  But let me be clear: self-regulation is not a fig-leaf for non-compliance; self-regulation only works if there is strong, legally binding regulation in the first place."


Leave a comment

Failure to Plead Loss Causation in Class Action Suit Against Amazon Leads to Dismissal

Judge Robert S. Lasnik from the Washington Western District Court granted last week Amazon’s motion to dismiss in the class action suit Del Vecchio et al v., Inc. Plaintiffs may now file an amended complaint within 30 days.

Plaintiffs alleged that Amazon, the famous online retailer, placed browser cookies on their computers against their wishes, by “exploiting” a shortcoming in Microsoft’s Internet Explorer browser s cookie filtering function, and that Defendant intentionally published a “gibberish” website policy to deceive Plaintiff’s browser into accepting Defendant’s cookies despite their filter settings.

Plaintiff also alleged that Amazon retooled flash cookies so that they would behave as traditional browser cookies in order to be accepted by Plaintiff’s browser, and that the online retailer used the personal information thus gathered and also shared it with third parties, despite the terms of its Privacy Notice.

Plaintiffs claimed being injured by Amazon’s misappropriation of their personal information, in which they have economic and property interests, and also damage to and consumption of their Computer Assets, leading to economic harms, including “devaluation of personal information, [and] loss of the economic value of the information as an asset” and diminution of the performance and value of their computer resources.

However, Judge Lasnik granted Amazon’s motion to dismiss as Plaintiffs failled to plead plausible losses.

Diminished Performance of Plaintiff’s Computer

Plaintiffs alleged that, by transferring cookies to Plaintiff’s computers, it thus diminished their  performance and constituted an interruption in service, but Judge Lasnik considered it merely “naked assertions.”

Monetary Value of Personal Information

The Computer Fraud and Abuse Act (“CFAA”) punishes unauthorized access to a protected computer, and provides for a civil remedy ”unless the object of the fraud and the thing obtained consists only of the use of the computer and the value of such use is not more than $5,000 in any 1-year period.” Therefore, the issue of the value of the loss (more or less than $5,000) was one of the questions presented to the court.

According to Judge Lasnik’s order, the facts of the case cannot allow the Court “to reasonably infer that those losses plausibly occurred in this case, let alone that they totaled $5,000.” Plaintiffs argued, for example, that by acquiring their personal information, they were thus deprived ‘”of the opportunity to exchange their valuable information,” but such deprivation is “entirely speculative” according to Judge Lasnik.  However, Judge Lasnik did not shun entirely the idea that personal data may have value, as he adds: “[w]hile it may be theoretically possible that Plaintiffs’ information could lose value as a result of its collection and use by Defendant, Plaintiffs do not plead any facts from which the Court can reasonably infer that such devaluation occurred in this case.”

The issue of proving the value of personal dat is quite interesting…  How could one measure the value of one’s personal information? Is the personal information of a gold or platinum card member more valuable than those of a basic member?  Should sites like Klout, which uses algorithms to grade one’s reputation on several social media sites, be introduced as evidence? It will be interesting to read Plaintiff’s amended complaint in the next weeks.

Leave a comment

Comparing CAN-SPAM to Canada’s new Anti-Spam Law

Those who operate or have customers in the U.S. market, are already familiar with the requirements of the 2003 CAN-SPAM Act. If your operations or customers extend into Canada, however, there are new Canadian Anti-Spam rules you need to know. Why? Because these new rules will impact how you engage in online communications in Canada, starting in early 2012.

The SlideShare presentation linked below provides an overview of the key differences between Canada’s new Anti-Spam Law, CASL, and CAN-SPAM. Here are a few:

• Broader application: CASL also applies not only to e-mail, but also to IM, text and more. It also covers more activities, including the installation of computer programs.

• Clear reach outside Canada: CASL expressly applies to messages “accessed from a computer system in Canada”. This means that a message can be sent from outside Canada.

• Higher standard for consent: “Opt-in” consent for CASL versus “Opt-out” for CAN-SPAM.

• Higher penalties: $10 million maximum penalty for an organization that contravenes CASL.

The implications of this:

More online activities will be caught by CASL.

• More activities affecting Canadians will be caught by CASL, even if initiated outside Canada.

More steps will be needed under CASL to be permitted to communicate online.

Overall, there is greater exposure to liability under CASL.

Learn more about CASL, including what steps to take now to avoid liability: