The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee


Leave a comment

CFPB Announces Supervision of Credit Reporting Agencies

Monday, the Consumer Financial Protection Bureau ("CFPB") announced that it would begin to supervise credit reporting agencies.  According to the CFPB, this is the first time the consumer reporting agencies will be subject to a federal supervision program.  Formal supervision will start September 30, and on-site examinations will begin after that date.

According to the New York Times, the CFPB will oversee and make rules to cover about 30 credit reporting companies, which represent 94% of the $4 billion credit reporting market.  The CFPB’s supervision and rules will not only apply to the "big three" credit reporting agencies, Experian, Equifax, and TransUnion, but also to those with more than $7 million in annual revenue.

The CFPB also posted a list of consumer reporting agencies, which consists of companies that have identified themselves as consumer reporting companies or provide consumers access to their credit reports.  The CFPB made the announcement as part of it attempts to define the "larger participants" among consumer financial companies as part of its Dodd-Frank supervision authority.

Director Cordray’s full remarks are available here.  The CFPB also released a consumer advisory on checking credit scores.


Leave a comment

FTC Urges Congress to Reauthorize SAFE WEB Act

The House Subcommittee on Commerce, Manufacturing, and Trade held a hearing earlier today to discuss reauthorization of the 2006 "Undertaking Spam, Spyware, And Fraud Enforcement With Enforcers beyond Borders Act", otherwise known as the U.S. SAFE WEB Act.  The subcommittee – which is chaired by Rep. Mary Bono Mack (R. California) – heard testimony from Hugh Stevenson, the FTC’s Deputy Director for International Consumer Protection.

The SAFE WEB Act was enacted in response to growing evidence of cross-border spam, spyware, and fraud on the Internet.  According to FTC 2005 research, an estimated 20 percent of consumer complaints to the agency at that time involved fraud originating outside the United States.  The FTC further estimated that Americans suffered annual losses to foreign operators totaling nearly $220 million as a result of this activity.  The SAFE WEB Act expanded the FTC’s Section 5 authority to tackle this problem by including in its scope "acts or practices involving foreign commerce that (i) cause or are likely to cause reasonably foreseeable injury within the United States; or (ii) involve material conduct occurring within the United States."  The Act also gave additional powers to the FTC to work with foreign Government agencies designed to facilitate cross-border cooperation and information sharing in investigations and law enforcement actions.

According to today’s FTC testimony, the agency estimates that it has conducted more than 100 investigations, and filed more than 50 cases, involving cross-border elements since SAFE WEB’s passage.  The FTC testimony also states that using the tools provided to it under the Act, the agency has stopped frauds costing consumers hundreds of millions of dollars.  For this and other reasons, the FTC submitted in its testimony that "it is critical that Congress reauthorize the law enforcement tools provided by the U.S. SAFE WEB Act."

In her Opening Statement to the hearing, Rep. Bono Mack described SAFE WEB as an "important tool in combating cross-border fraud, spam, and spyware."  She went on to describe the progress made since 2006, as evidenced in a 2009 FTC Report issued pursuant to the Act, and concluded that SAFE WEB  "has been a clear success to date and should be reauthorized before its expiration next year."

The SAFE WEB Act will expire on December 22, 2012 absent reauthorization.  Draft legislation before the House Commerce Committee would reauthorize the Act for an additional 7 years.


Leave a comment

Toward a Federal Breach Notification Law? Data Security and Breach Notification Act of 2012 Introduced in U.S. Senate

Senator Pat Toomey [R-Pa] introduced on June 21 a bill, the Data Security and Breach Notification Act of 2012 (the Data Breach Act), which could become the Federal data breach notification law. If enacted, entities collecting and maintaining personal information would have to secure this information, and would also have to provide notice to individuals affected by a breach of security involving personal information.

The Data Breach Act would preempt State laws (Section 6), and would take effect one year after its enactment.

Senator Tooney published a statement explaining why he believes such a law is needed:

"A number of recent high-profile data breaches combined with the messy patchwork of 46 different state laws highlight how difficult it is for consumers to know their personal information is secure. Congress needs to provide businesses and consumers with certainty and establish a single reasonable standard for information security and breach notification practices. Our bill would eliminate the burden of complying with varying standards and laws, ensuring that all consumers and their personal information are afforded the same level of protection."  

Scope of the Data Breach Act

The bill would cover entities over which the Federal Trade Commission (FTC) has authority pursuant to section 5(a)(2) of theFTC Act, and also common carriers subject to the Communications Act of 1934.

Howvever,financial institutions subject to Title V of the Gramm-Leach-Bliley Act would be exempt from the Data Breach Act, as would entities covered by the regulations issued under 264(c) of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) to the extent that such entities are subject to the requirements of such regulations with respect to protected health information.

Information Security

The covered entities would have to “take reasonable measures to protect and secure data in electronic form containing personal information” (Section 2).  The bill does not, however, define what these ‘reasonable measures’ should be, which could lead to uncertainty for businesses.

Personal information would not include information “encrypted, redacted, or secured by any other method or technology that renders the data elements unusable” (Section 5(5)(B)(ii)). Therefore, it seems that encrypting personal information would serve as a safe harbor for covered entities.

Notification of Information Security Breach

The Data Breach Act would define a “breach of security” as an “unauthorized access and acquisition of data in electronic form containing personal information” (Section 5(1)).

Each covered entity owning or licensing personal data would have to notify individuals of a security breach, if their personal data was or may have been affected by the breach. Entities would have only to notify American citizens or residents, Section 3(a)(1).  Therefore, if a breach on an U.S. system affects the data of, say, international clients of a company, a covered entity could argue that it does not have to notify them of the breach. In practice, though, international clients could not be ignored without some public relations damage.  The entity would also have to inform the FBI of any breach of security which may affect more than 10,000 persons, Section 3(a)(2).  

If the system where the breach occurred is maintained by a third party, the third party will have to notify the covered entity of the breach, which in turn will notify individuals, Section 3 (b)(1)(A).  ISPs would not be considered a third party by the Act, Section 3(b) (1) (C). However, an ISP becoming aware of a breach involving data owned by one of its entity-customers would have to notify the entity of the breach, if the covered entity can be ‘reasonably identified.’

Timeliness of Notification

Covered entities would have to notify individuals affected by the security breach “as expeditiously as practicable and without unreasonable delay,” Section 3 (c) (1). However, the notification may be delayed if a Federal law enforcement agency requests so in writing in order to avoid that the notification impedes a civil or a criminal investigation, or if a Federal national security agency requests it in writing if the notification would threaten national or homeland security. In both cases, the notification may be held for a “reasonably necessary period,” which would be determined by the Federal agency requesting the delay, Section 3(c)(2)(A) et Section 3(c)(2)(B).

Method and Content of Notification

The notification could be accomplished by mail, telephone, or by email. It would have to contain the date or the estimated date of the breach, as well as the range of the breach. It would also have to contain a description of the personal information that was accessed and the contact information an individual affected by the breach may use to learn more about the breach, and to find out which personal data was held the entity covered by the breach, Section 3 (d).

A substitute notification would be authorized instead of a direct notification to the affected individual if a direct notification is not feasible because of excessive cost relative to the entity’s resources, or if the entity does not have sufficient contact information for the individual affected by the breach.  Such substitute notification could be a “conspicuous notice” on the entity’s web site, or a notification published or broadcast by major media in the areas where the affected individuals may live, Section 3 (d)(2).

In practice, this may lead to some disparities. If a deep-pocket company suffers a breach, but is unable to contact the affected individuals directly because it does not have their contact information, it could then choose to publish or broadcast the notification. It would have to do so at least all around the U.S. territory, and one could even argue that it would have to be done around the world, as U.S. citizens living abroad may be affected by the breach as well.  

An entity with lesser means may not be able to do so, as such publication would be quite expensive.  A direct notification might not be feasible because of the high cost for the company, yet a substitute notification would be even more expensive if the entity does not have enough information about the affected individuals to contact them. Some small companies process a huge volume of personal data, yet may not have the financial capacity to notify all the individuals concerned by the breach.

Liability

Violating section 2 and section 3 of the Data Breach Act would be considered unfair or deceptive acts or practices under the FTC Act, and the FTC would have the power to enforce the Data Breach Act.

The maximum civil penalty for a covered entity having violated the Data Breach Act would be $500,000 for all violations of section 2 and $500,000 for all violations of section 3 resulting from a single breach of security, Section 4 (c) (3)(A)&(B). There would be no private cause of action against a person for violation of the Data Breach Act, Section 4 (d).

It is not the first time that such a bill has been introduced in Congress. Last year, S. 1207, the Data Security and Breach Notification Act of 2011, was introduced by Senator Mark Pryor [D-AR}, which itself was a re-introduction of S. 3742 during the 111th Congress. S1207 was not enacted. It remains to be seen if Senator’s Toomey’s bill is to have the same fate.

However, the bill has already received the support of AT&T, in a statement by Tim McKone, Executive Vice President of Federal Relations, which read:

The security of our customers’ personal information is of utmost importance to us and is a priority in how we conduct our business. That is why we are pleased by Senator Toomey’s thoughtful and comprehensive bill, the ‘Data Security and Breach Notification Act of 2012.’  It is a common sense bill that will eliminate uncertainties and ultimately consumer confusion by establishing uniform requirements.”

 The CTIA, the Wireless Association, also supports the bill. Jot Carpenter, its Vice President of government affairs issued this statement:

CTIA welcomes the introduction of Senator Toomey’s bill. By advancing a proposal that offers a comprehensive, uniform approach to data security and breach notification, Senator Toomey demonstrates that it is possible to protect consumers while providing clear, consistent guidelines to businesses.”

Another data breach notification bill, H.R. 3730, sponsored by Rep. Joe Donnelly [D-IN], the Veterans Data Breach Timely Notification Act, has recently passed the House Veterans’ Affairs Subcommittee.  The bill is not as inclusive as the Data Security and Breach Notification Act, as it would only require the Secretary of Veterans Affairs to provide notice to veterans whose sensitive personal information is involved in a data breach.


Leave a comment

Class Action Suit Filed Against Google, Alleges Email Interception and Eavesdropping under California’s CIPA

A class action suit has been filed last month against Google in the Superior Court of California. The class is all California residents who are not Gmail subscribers, and who have sent an email to Gmail subscribers using a non-Gmail email account.

The complaint alleges that Google intentionally intercepted emails sent by individuals who are not Gmail subscribers to Gmail subscribers. Google then reviewed the words, the content and thought processes of these emails.

According to the complaint, while Gmail subscribers consented to their emails being reviewed by Google, including their incoming email, senders of these non-Gmail emails have not given Google their consent to intercept emails sent from their non-Gmail accounts. As this interception is done before the email is delivered to the Gmail subscriber, the complaint alleges that it constitutes wiretapping and eavesdropping in violation of California Invasion of Privacy Act (CIPA), Cal. Penal Code § 630 et seq.

Cal. Penal Code § 630 states the intent for CIPA:

The Legislature hereby declares that advances in science and technology have led to the development of new devices and techniques for the purpose of eavesdropping upon private communications and that the invasion of privacy resulting from the continual and increasing use of such devices and techniques has created a serious threat to the free exercise of personal liberties and cannot be tolerated in a free and civilized society. The Legislature by this chapter intends to protect the right of privacy of the people of this state.”

Wiretapping: Cal. Pen. Code § 631 provides for the liability of "[a]ny person who … willfully and without the consent of all parties to the communication, or in any unauthorized manner, reads, or attempts to read, or to learn the contents or meaning of any message, report, or communication while the same is in transit or passing over any wire, line, or cable, or is being sent from, or received at any place within this state." The complaint claims that Google violated § 631.

Eavesdropping: If Google conduct is not wiretapping, the complaint states that Google has violated § 632 of Cal. Pen. Code which makes it illegal to engage in eavesdropping on e-mail conversations.

The Complaints seeks an order requiring Google to cease violating CIPA, and also seeks an award of statutory damages for each member of the class.

The case will be interesting to follow, as a California Court held last April that the Federal Wiretap Act does not completely preempt California’s Invasion of Privacy Act, Cindy Leong v.  Carrier IQ Inc et al, Carey Eckert  v. Carrier IQ Inc et al, CV 12-01564, United States District Court, C.D. California. In that case, defendant had filed a notice of removal, arguing that "[c]ourts in both the Central and Northern Districts of California have held that the Federal Wiretap Act, as amended by the ECPA in 1986, comprehensively regulates privacy claims concerning electronic communications."  The Court was not convinced by the arguments, stating that the California law is more restrictive than the Federal law, and that the Federal law supersedes state law only to the extent that state law offers less protection.


Leave a comment

FTC Brings Action against Wyndham Hotels for Failure to Protect Consumers’ Personal Information

The Federal Trade Commission (FTC) filed a complaint on June 26 against Wyndham Worldwide Corporation and three of its subsidiaries, alleging failure to maintain reasonable and appropriate data security for consumers’ sensitive personal information. The FTC claims that because of this failure, intruders were able to obtain unauthorized access to the Defendants’ computer networks. This led to fraudulent charges on consumers’ accounts, incurring more than $10.6 million in losses, and the exporting  of credit card account information to a domain registered in Russia.

Defendants Controlled the Hotels’ Computer Systems

Independent hotels operating under a franchise agreement with Wyndham Hotels had to use a property management system designed by Defendants, which stored consumers’ personal information, including payment information. This system was linked to the Wyndham Hotel corporate network, much of it located at a Phoenix, Arizona data center, operated by Wyndham Hotels. Only Defendants had administrator access to control the property management systems of the independent hotels. Defendants also had direct control over the computer networks of the Wyndham-branded hotels managed by one of the Defendants, Hotel Management.

Privacy Policies

Wyndham Worldwide was responsible for creating information security policies for itself and for its subsidiaries, and for overseeing subsidiaries’ information security programs.

Defendants have published privacy policies on their websites since at least 2008, claiming that they will safeguard the customers personally identifiable information “by using standard industry practices,” and that it will “take commercially reasonable efforts to create and maintain “fire walls” and other appropriate safeguards” to protect customers’ information.

Inadequate Data Security Practices

However, the FTC claims that Defendants’ data security practices were inadequate, and thus unnecessarily exposed consumers’ personal data to unauthorized access and theft. Defendants’ security failures led to fraudulent charges on consumers’ accounts.

The FTC alleges such shortcoming as storing credit card information in clear readable text, failure to limit access between the different property management systems, or failure to secure the Defendants’ servers. Also, Defendants did not require the use of complex passwords to access the property management systems, and allowed the use of easily guessed passwords.

The FTC claims that these shortcomings allowed intruders to gain unauthorized access into Wyndham Hotels’ computer networks on three separate occasions, using similar techniques in each of the three occurrences.  After discovering each of the first two breaches, Defendants failed to take appropriate measures to prevent another breach.

Violations of the FTC Act

The representations made by Defendants’ privacy policies were thus inadequate according to the complaint. The FTC alleges that even though Defendants represented to their customers that they had implemented reasonable and appropriate measures to protect their personal information against unauthorized access, they had not in fact implemented these measures, and thus the representations made to the customers were unfair and deceptive and violated the FTC Act. The FTC also claims that this failure to safeguard consumers’ personal information caused or was likely to cause substantial injury to consumers.