The Secure Times

An online forum of the ABA Section of Antitrust Law's Privacy and Information Security Committee

Leave a comment

House Hearing Focuses on Potential Federal Data Breach Notification Legislation

This week, the U.S. House of Representatives Subcommittee on Commerce, Manufacturing, and Trade held an oversight hearing entitled “Reporting Data Breaches:  Is Federal Legislation Needed to Protect Consumers?”  The hearing, which included testimony from members of the technology industry and academia, focused on whether there is a need for a federal law to either supplement or replace the current patchwork of more than 48 state data breach notification laws. 

Tech industry representatives from associations including TechAmerica, CompTIA, and CTIA described the burden facing companies after they suffer a data breach and then must quickly assess their obligations based upon the states’ differing definitions of personal information, various event triggers, and numerous notification timeframes.  In addition, they stressed that any new federal law should preempt existing state laws rather than simply establish a minimum standard on which state laws would be based.  The hearing also included discussion on technical questions relating to a possible federal law, including how to define a data breach, how quickly should breaches be reported, and what obligations do companies have to consumers whose information has been breached. 

During the hearing, Subcommittee Chairman Lee Terry (R-NE) expressed an interest in pursuing new legislation on this matter.  Notably, during the 111th Congress, Subcommittee member Rep. Bobby Rush (D-Ill) reintroduced the Data Accountability and Trust Act (“DATA”) that would have replaced the various state regimes with a uniform federal notification standard and charged the FTC with enforcement.  The bill passed the House, but no action was taken in the Senate.

Leave a comment

FTC Retains Effective Date for the Amended COPPA Rule

On May 6, the Federal Trade Commission (“FTC”) voted unanimously to retain the July 1, 2013 date for implementation of the updated Children’s Online Privacy Protection Rule (“COPPA”).  The FTC vote took place approximately two weeks after online industry and business organizations, including the Direct Marketing Association (“DMA”) and the U.S. Chamber of Commerce, sent a letter to the FTC seeking an extension of the effective date for the COPPA Rule amendments, from July 1, 2013 to January 1, 2014. 

In voting to retain the original date for implementation of the updated Rule, the Commission noted that the July 1 implementation date, along with the rule changes, were announced in December 2012, which provided affected companies with more than six month to prepare for the updated Rule.  The FTC also noted various meetings and consultations it has held during the past several months with organizations and individual businesses to discuss how companies can ensure compliance with the amended Rule.  In addition, the FTC noted the recent release of its updated COPPA Rule Frequently Asked Questions (“FAQs”) document that includes a number of questions (and answers) that directly address how the amended Rule differs from the original Rule, including the following:

• What should I do about information I collected from children prior to the effective date that was not considered personal under the original Rule but now is considered personal information under the amended Rule?

 • Other than the changes to the definition of personal information, in what ways is the new Rule different?

 • Will the amended COPPA Rule prevent children from lying about their age to register for general audience sites or online services whose terms of service prohibit their participation?

Notably, the online industry had cited the lack of an updated FAQs document a key reason for its request to extend the implementation date to January 2014.

Leave a comment

Sens. Rockefeller and Blumenthal Introduce the Do-Not-Track Online Act of 2013

On February 28, U.S. Senators Jay Rockefeller (D-WV) and Richard Blumenthal (D-CT) introduced the “Do-Not-Track Online Act of 2013,” which would require all Web browsers, online companies, and mobile app developers to allow users to opt-out of online tracking by online advertising networks, data brokers, and others.  The bill is similar to legislation that Senator Rockefeller introduced in 2011.

The bill would create a universal legal obligation for all online companies to honor consumer choice when consumers do not want any entity to collect information about their online activities.  In addition, the bill would allow the Federal Trade Commission to pursue enforcement action against a company that does not honor a consumer’s request to not be tracked.

Under the bill, companies could track personal information in limited instances, including when (1) such tracking is necessary to deliver a service requested by the consumer being tracked, so long as the information is anonymized or deleted once the service is delivered; or (2) the individual receives clear and conspicuous notice that the collection is occuring, and consents to such collection.

The legislation is in response to ongoing dialogue (and disagreement) between the online industry and consumer groups over how best to implement an industry-wide Do Not Track standard.  According to Sen. Rockefeller, “[i]ndustry stood at the White House and made a public pledge to honor do-not-track requests, but has since failed to live up to that commitment.”  In response, Sen. Rockefeller states that this latest bill will give consumers “the opportunity to simply say ‘no thank you’ to anyone and everyone collecting their online information. Period.”

Leave a comment

Sen. Rockefeller Requests Information from Fortune 500 CEOs on Cybersecurity Practices

On September 19, Sen. Jay Rockefeller (D-WV) sent letters to the CEOs at every Fortune 500 company seeking informtion on their companies’ cybersecurity practices and their concerns with respect to government involvement in protecting critical cyber infrastructure.  Stating that he was "profoundly disappointed" in the Senate’s inability to pass comprehensive cybersecurity legislation in August, Sen. Rockefeller is urging President Obama to address cybersecurity issues through an Executive Order and is asking the CEOs for their views on cybersecurity, which he intends to use in support of future legislation.

Sen. Rockefeller asked the CEOs to respond by October 19, 2012 to the following eight questions:

– Has your company adopted a set of best practices to address its cybersecurity needs?

– If so, how were these cybersecurity practices developed?

– Were they developed by the company solely, or were they developed outside the company? If developed outside the company, please list the institution, association, or entity that developed them.

– When were these cybersecurity practices developed? How frequently have they been updated? Does your company’s board of directors or audit committee keep abreast of developments regarding the development and implementation of these practices?

– Has the federal government played any role, whether advisory or otherwise, in the development of these cybersecurity practices?

– What are your concerns, if any, with a voluntary program that enables the federal government and the private sector to develop, in coordination, best cybersecurity practices for companies to adopt as they so choose, as outlined in the Cybersecurity Act of 2012?

– What are your concerns, if any, with the federal government conducting risk assessments, in coordination with the private sector, to best understand where our nation’s cyber vulnerabilities are, as outlined in the Cybersecurity Act of 2012?

– What are your concerns, if any, with the federal government determining, in coordination with the private sector, the country’s most critical cyber infrastructure, as outlined in the Cybersecurity Act of 2012?


A list of companies that received the letter is available here.

Leave a comment

Paul Ohm to Join FTC as Senior Advisor on Internet, Privacy, and Mobile Markets

On August 27, Professor Paul Ohm, Associate Professor at the University of Colorado Law School, will join the FTC as a senior policy advisor for consumer protection and competition issues affecting the Internet and mobile markets.  Ohm specializes on topics that include information privacy and cyberlaw issues.  He has authored numerous law review articles and essays that address the impact of technology on consumer privacy and he is a frequent blogger and contributor to FTC roundtables and industry conferences.

Ohm will join the FTC’s Office of Policy Planning, which focuses on the development and implementation of long-range competition and consumer protection policy initiatives, and advises staff on cases raising new or complex legal or policy issues.  This will be the second time that Ohm has served the government in a privacy-focused capacity.  He previously served as a federal prosecutor for the U.S. Department of Justice’s Computer Crime and Intellectual Property Section.

A press release on Ohm’s new role is available here.

Leave a comment

Commerce Department Launches Multistakeholder Process for Consumer Privacy Codes of Conduct

In response to the White House’s February 23, 2012 release of Consumer Data Privacy in a Networked World:  A Framework for Protecting and Promoting Innovation in a Global Digital Economy ("Framework"), the Commerce Department’s National Telecommunications and Information Administration ("NTIA") has issued a request for public comments on the consumer data privacy issues to be addressed through voluntary, yet legally enforceable, codes of conduct that implement the Consumer Privacy Bill of Rights outlined in the Framework.  NTIA is seeking comments from all interested stakeholders, including consumer groups, industry, academia, law enforcement agencies, and international partners.  Comments are due on March 26, 2012.

Interested parties may submit comments on any consumer privacy-related topic, though NTIA’s request indicates that the Framework’s transparency principles in privacy notices for mobile applications ("apps"), particularly apps that feature location-based services, are among the agency’s highest priorities.  Other highlighted areas for comment include cloud computing, online services directed toward teens and children, trusted identity systems, and the use of technologies, such as browser-based cookies, to collect personal data.

NTIA also seeks comment on how the multistakeholder process can be structured to ensure openness, transparency, and consensus-building among a diverse group of interested parties.  These comments represent the initial step of a process aimed at developing voluntary codes of conduct that will be enforced by the Federal Trade Commission.



Leave a comment

Massachusetts Court Holds that Zip Codes are PII

On January 6, 2012, a Massachusetts District Court, in Tyler v. Michael Stores, Inc., held that zip code information is personal identifiable information (“PII”) under a state consumer protection statute.  In Tyler, the plaintiff provided her zip code to a cashier at Michaels’ arts and crafts store while making a purchase with her credit card. According to the plaintiff, Michaels then combined her zip code with other information to obtain her home mailing address, and began sending unwanted marketing materials. The plaintiff argued that the collection and recording of zip codes during a credit card transaction violates Mass. Gen. Laws ch. 93 § 105, under which a business cannot “write, cause to be written or require that a credit card holder write [PII], not required by the credit card issuer, on the credit card transaction form.”
In its order, the Court dismissed the case because the plaintiff was unable to show cognizable injury. Nevertheless, the Court held that zip codes are PII because such information is consistent with language in a  Massachusetts criminal identity theft statute that defines PII as any “number” used “alone or in conjunction with any other information” to assume the identify of an individual. Moreover, despite Michaels’ argument that the state statute applies only to credit card information recorded on paper, the Court stated that the statute applies to all credit card transactions, including those processed manually, electronically, or by other methods. 
Businesses that collect customer information at the sales register should continue to closely follow this issue as this case, as well as the recent California Supreme Court decision in Pineda v. Williams-Sonoma Stores, Inc., may foretell lawsuits in other states with consumer protection statutes that are similar to those in Massachusetts and California.

Leave a comment

FTC Scrutiny of Web Browser Toolbar Signals Continued Online Privacy Enforcement in 2012

A recent FTC settlement underscores that, in 2012, the FTC will continue to hold companies accountable for providing full disclosures about the extent to which their online services collect and transmit personal information. On January 5, 2012, the FTC announced a settlement with Upromise, Inc., a membership service that helps consumers save money for college, over charges that the company misled users about the extent to which it collected and shared their personal information through a “Personalized Offers” feature on a web browser toolbar, and then failed to properly secure the user information that it collected.
Upromise provides a service that allows users to contribute to a college savings account by collecting rebates that are acquired when users purchase goods and services from Upromise partner merchants. Upromise provided users with a web browser toolbar that highlighted Upromise’s partner merchants appearing in a user’s search results, thereby enabling users to more easily identify merchants that provide the college-savings rebates.
According to the FTC, when users enabled the “Personalized Offers” feature, the toolbar collected and transmitted the names of the websites visited by users, as well as information that users entered into those websites, including search terms, user names and passwords, and financial information. The Commission also alleged that users who downloaded the toolbar were told by Upromise that any personal information collected would be removed before it was transmitted, and that Upromise had security features in place to protect the personal information. The FTC claimed that Upromise’s alleged actions were unfair and deceptive and violated the FTC Act.
The FTC settlement bars Upromise from using its web browser toolbar to collect users’ personal information without clearly and conspicuously disclosing the extent of its data collection practices before users download the toolbar. Upromise also must destroy any personal information previously collected through the “Personalized Offers” feature, obtain consumers’ consent before installing or re-enabling its toolbar products, and notify users how to uninstall the toolbars currently residing on their computers. The settlement further bars Upromise from making material misrepresentations about the extent to which it protects the privacy and security of consumers’ personal information, and requires the company to establish a comprehensive information security program that includes biennial independent security audits for the next 20 years.