Privacy & Security Matters

Mintz Levin : Data Compliance & Security, Employee Privacy Lawyer & Attorney

About California’s Right to Know Act of 2013 – What, Me Worry?

Posted By Cynthia Larose on Posted in Privacy Regulation

Written by Jake Romero

If you got Google, Facebook and Microsoft into a room and asked them to compile a list of things that they are most afraid of, that list would probably look something like this:

  1. Bees
  2. Getting into a Twitter fight with a Justin Bieber fan
  3. California’s Right to Know Act of 2013

You may not be familiar with California’s Right to Know Act, but you can bet that the largest online retailers and service providers are closely watching the California legislature’s proceedings.

So, what is the “Right to Know Act?”

Assembly Bill 1291, introduced by state Assembly member Bonnie Lowenthal, would amend Section 1798.83 of the California Civil Code to require that any business that retains a customer’s personal information, or discloses customer personal information to a third party, provide, at no charge and within 30 days of receiving a request from a customer, a copy of all information retained about that customer, as well as the names and contact information for all third parties with which that business has shared customer data within the last 12 months.  This requirement would apply regardless of whether the business has a relationship with the customer.

Think of it as the data privacy version of that bill that required restaurants to list the number of calories in each food item next to that item on the menu.

What would be the practical effect?

If passed in its current form, it would be difficult to overstate the potential impact on online businesses that retain personally identifiable information.  In addition to names, social security numbers, birthdates and similar information, categories of “personal information” can include a user’s IP address, mobile device data and geolocation data, which are often collected on an ongoing basis in the background of services that are provided to consumers.  (A complete definition “personal information” and a list of categories of personal information can be found here).

Since the Act requires that the business provide copies of this information to customers who request it, compliance with the Act may require updates to record keeping systems.  Moreover, since copies of information must be provided to the customer free of charge, the cost of complying with such requests must either be borne solely by the business or (as is more likely to be the case) factored into the cost of the services or products offered by the business.

Even the limitations in the scope of the Act create potential pitfalls for online businesses.  For example, the new definition of “retain” does not include storing information solely for one or more of the following purposes:

  • to perform a service or complete a transaction initiated by or on behalf of the customer, including maintaining or servicing accounts, providing customer service, processing or fulfilling orders and transactions, verifying customer information, processing payments, providing financing, or similar services;
  • to address fraud, security, or technical issues; to protect the disclosing business’ rights or property; or to protect customers or the public from illegal activities as required or permitted by law; or
  • to comply with applicable law or regulation or with a court order or other legal process where the business has a good-faith belief that the law, regulation, court order, or legal process requires the information to be stored or held.

However, the above exception applies only so long as the information is deleted as soon as it is no longer needed for these purposes.  In other words, any business that intends to rely on this exception will likely need to have a system in place to periodically monitor the information it has collected to delete personally identifiable information that is no longer needed for those specific purposes.  Such businesses will also need to ensure that the information is not being used for any other purpose, since doing so would also invalidate this exception.

Questions to ask in preparation

The Right to Know Act of 2013 isn’t the law of land yet — it is working its way throught the legislative process and you can track its status here –  but as it gets closer to adoption the Act’s ranking in the list of things that online companies are afraid of will only go up.  In the meantime, there are certain questions you can consider to help you gauge your preparedness:

Do you know the full scope of information that is collected from your users or customers, including background data that is collected automatically?

  • Do you have data retention and destruction policies in place to eliminate personally identifiable information that is no longer necessary?
  • Do you know what personally identifiable information is being collected by all third parties who help you provide services or products?  Do you know what data storage, retention and destruction policies those third parties have in place?
  • For every type of information that is collected, do you have a clear understanding of each way in which the information is used, including for strictly internal purposes like data analytics?

It is essential to ask these questions early because once the Right to Know Act of 2013 gives consumers the right to ask the question, businesses will have to know the answer.  As always, Mintz Levin’s data privacy attorneys are available to help you find the answers you need.

Data Breach at Gunpoint

Posted By Cynthia Larose on Posted in Data Breach, Data Breach Notification, Identity Theft

Written by Amy Malone

You might think that if you lock your backup tapes in a safe they are protected from a data breach, but Kmart’s recent data breach proves that’s not the case.  Last month, a person held a Kmart employee in Little Rock, Arkansas at gun point and ordered him to open the store’s safe.  The perpetrator ran off with the safe’s contents, including almost $6,000 and the day’s backup disk.

The next problem for Kmart (or maybe the first problem)?  The backup disk was not encrypted or password-protected.  The Chicago Tribune reports that information on the disk included confidential information relating to prescriptions including, names, addresses and medications prescribed for almost 800 customers.  According to another news source, parent company Sears says that “certain prescriptions also contained the customer’s social security number.”

Kmart spokesperson Shannelle Armstrong-Fowler said there was a “slim to none” chance of the thief accessing information on the disk because he would need to know what software package Kmart uses and have that software, but, FierceRetail asserts that it would not be that difficult to extract information from the disk by using a hex dump utility.   According to StorefrontBacktalk, the initial police report did not reference the missing data disk, and Little Rock Police said no updated report had been filed. Such an updated report would have been filed had Sears contacted police to update the list of what had been stolen.  Read more details here.

This breach underscores the importance of implementing layers of security.  Using strong encryption and passwords in addition to locking the media in a safe would have provided greater security to customer information and saved Kmart some angst.  Are you utilizing the right security to protect your sensitive information?  Unsure?  Contact one of our privacy attorneys for help.

War of Words Regarding Implementation of Amendments to COPPA – UPDATE

Posted By Cynthia Larose on Posted in Children, Federal Trade Commission, Privacy Regulation

UPDATE — The Federal Trade Commission has published its promised COPPA FAQs here.   

 

Volley #1 - Trade Associations to FTC:  Please Delay!

The long-awaited amendments to the Children’s Online Privacy Protection Act (COPPA) have been the subject of much discussion and debate.  Last week, Federal Trade Commission (FTC) Chairwoman Edith Ramirez received letters from 19 trade organizations, including the Interactive Advertising Bureau, the Application Developers Alliance, the Toy Industry Association, and the Direct Marketing Association, urging the FTC to consider a six (6) month extension of the effective date for the amendments to the Children’s Online Privacy Protection (COPPA) Rule (the “Amendments”), pushing out the effective date from July 1, 2013 to January 1, 2014.

The common concern voiced by these trade organizations in their letters to the FTC is the inability of their members to comply with the Amendments by July 1, since they claim that the Amendments significantly expand the scope of COPPA and the obligations of the covered entities. The Toy Industry Association described compliance with the Amendments by July 1 as a potentially “monumental task,” the Direct Marketing Association noted in its letter to the FTC that the “final amendments released in December 2012 contained several unanticipated material changes from previous versions” that “significantly impact the long standing business model that [companies subject to COPPA] have relied upon in planning the capabilities of their products and services since COPPA’s inception”, and the Application Developers Alliance stated in its letter that “the changes create significant new obligations for app developers and their partners that are still not well understood.” The request for extending the effective date to January 1, 2014 is based on the argument that a longer timeline for implementation will provide more time for the industry to understand the effect of the Amendments, to implement and quality-check the changes necessary to comply (both internally and with respect to third party relationships), and to overall assure widespread compliance with the Amendment.

Volley #2 — Consumer Advocacy Groups:  Don’t Delay!

This week, several consumer privacy and children advocacy groups  – including the Center for Digital Democracy, Common Sense Media, Consumer Watchdog, and the Electronic Privacy Information Center (collectively, “Advocacy Groups”) — wrote to Commissioner Ramirez to oppose the compliance delay requested by the trade associations. Noting  that the FTC process of amending COPPA began in 2011 and included industry participation and input (with the Amendments being issued in December 2012) and that industry has had sufficient time to adjust their business practices and make the necessary changes for compliance, the Advocacy Groups characterized the compliance delay as unwarranted and harmful to children. The Advocacy Groups urged the FTC to remain firm on the July 1 enforcement date as a delay would “undermine the goals of both Congress and the FTC.”

No word from the FTC yet on any of these requests, however, the Commission is expected to release further guidance on compliance with the Amendments in the form of FAQs .

 

EU Data Protection Regulation: Looming closer . . .

Posted By Susan Foster on Posted in European Union, Legislation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The draft of the new Data Protection Regulation, the first EU privacy law with highly serious teeth in the form of fines based on global turnover, continues to wend its way through various committees of the European Parliament (EP).  The European Parliament recently pushed back a critical committee vote until May 29-30, when the Civil Liberties, Justice and Home Affairs Committee will have its say on the draft Regulation.

Powerful EP and outside lobbies are backing major changes to the Regulation – some of which are fundamentally opposed to each other.  Over three thousand amendments to the Regulation have been proposed by the European Parliament alone.  EU and foreign companies continue to lobby for changes to the proposed Regulation, and the UK ICO, an important voice from the “inside” of the debate, continues to call for a more pragmatic approach.  Yet Jan Phillip Albrecht, MEP and one of the leading advocates for the Regulation, remains confident that agreement will be reached within the European Parliament.  When that happens, all that will remain is for the European Parliament and the Council to reach agreement on the text of the Regulation – and then it will become law.

A heartfelt “thank you”

Posted By Cynthia Larose on Posted in Uncategorized

Mintz Levin was founded in 1933 in Boston, and our largest office is located here.   Since Monday evening, we have received countless expressions of concern and support from clients, colleagues and friends around the world.  For that, we thank you.

We also want to take this opportunity to cross-post from our Health Law Policy Matters blog and publicly thank the first responders and health care providers who saved lives at the site of the Boston Marathon bombings.  Boston is a better place for all of you.

 

Much-Deserved Praise for Boston’s Hospitals and Health Care Professionals

Posted By Karen S. Lovitch

An opinion piece in this morning’s Boston Globe recognizes the quiet bravery of those who are providing medical care to the victims of Monday’s bombing at the finish line of the Boston Marathon.   Without the quick, organized response of health care professionals at the scene and at nearby hospitals, the number of deaths would undoubtedly have been higher.  The ability of health care professionals to remain calm in the face of this and other tragedies is nothing short of amazing.  Even though they do not want or expect praise for what they do, we should all remember to recognize and to thank them for caring for us and keeping us safe.   I am sure I speak for everyone at Mintz Levin – which was founded in Boston and which is where our largest office is located – when I say thank you to Boston’s health care professionals for their “calm, heroic response in the face of unprecedented carnage.”

 

“Red Flag” Compliance Requirements Come to Investment Advisors, Broker-Dealers – UPDATE

Posted By Cynthia Larose and Adam Veness on Posted in Data Compliance & Security, Identity Theft, Privacy Regulation

 

UPDATE:   We have prepared a detailed Client Alert as a guide to getting started with these new Red Flag Rules and compliance obligations.   You can read it here.

 

It has been several years since the Federal Trade Commission’s Red Flag Rule took effect; and the banking regulators have had the Red Flag Interagency Guidance in place since 2007.   Finally, entities regulated by the Securities and Exchange Commission (SEC), such as broker-dealers and investment advisers, and entities regulated by the Commodity and Futures Trade Commission (CFTC), such as futures commodity merchants, commodity trading advisers and commodity pool operators will be required to join the party.

In announcing the adoption of the rule, new SEC Chair Mary Jo White said, “Current estimates are that about five percent of American adults fall victim to identity theft fraud each year.  It is a risk for everyone, and as technology continues to advance, the risks increase.”

Section 1088 of the Dodd-Frank Wall Street Reform and Consumer Protection Act shifted certain oversight functions under the Fair Credit Reporting Act from the Federal Trade Commission to the SEC and the CFTC for entities regulated by those agencies. Last year the agencies issued a joint proposal on the identity theft provision. The final rules are “substantially identical” to the proposal, said Norm Champ, director of the SEC’s Division of Investment Management.

Specifically, the rules require that covered entities set up programs that identify, detect, and respond to identity theft “red flags.”    Most of the SEC-regulated entities will not be surprised by these rules.  Dodd-Frank essentially transferred oversight of already-existing Fair Credit Reporting Act requirements from the FTC to the SEC and the CFTC.

SEC Commissioner Luis Aguilar, however, noted that certain investment advisers, including advisers to hedge funds and private equity funds, may not have identity theft programs in place and will have to pay “particular attention” to the rules. Such entities were not required to register with the SEC until last year pursuant to Dodd-Frank.

The joint rules will become effective 30 days after publication in the Federal Register, and firms will be required to come into compliance six months after that date.


D.C. Developments on the Cybersecurity Front – UPDATE

Posted By Cynthia Larose on Posted in Cybersecurity

Written by Cynthia Larose and Heidi Lawson

UPDATE:  The House Permanent Select Committee on Intelligence passed the Cyber Intelligence Sharing and Protection Act (CISPA) this afternoon. The vote was 18 in favor and two (Adam Schiff (D-CA) and Jan Schakowsky (D-IL)) against.   For more information, read The Hill.

 

The last 24 hours have seen two important Washington developments on the cybersecurity front.

Senator Rockefeller’s Letter to the SEC

We’ve been discussing the Securities and Exchange Commission’s Cybersecurity Guidance since it was issued last year (including here just Monday).   Yesterday, Senator Jay Rockefeller (D-WV) sent a letter to the SEC, urging newly confirmed Chairman Mary Jo White to issue more authoritative guidance in order to encourage publicly traded companies to detail their cybersecurity risks and what steps they are taking to mitigate the threats.

The Senator’s letter said, “Investors deserve to know whether companies are effectively addressing their cyber security risks — just as investors should know whether companies are managing their financial and operational risks,” the letter said. “Formal guidance from the SEC on this issue will be a strong signal to the market that companies need to take their cyber security efforts seriously.”

The Senator’s letter is part of a rapidly growing trend to hold companies, and ultimately their board of directors, responsible for both oversight and making such disclosures.  The question is, are companies and their board of directors paying attention?

President Obama’s Budget — More $$$ for Cybersecurity

The second development came later yesterday when President Obama unveiled his 2014 budget propsal.   The 2014 budget specifically allocating billions for funding of research and development  and specifically to the Departments of Homeland Security, Commerce and Justice, for programs aimed at identifying and mitigating cyberthreats.

In his budget proposal, the President said, “Cyberthreats are constantly evolving and require a coordinated and comprehensive plan for protection and response…As we continue to see across the nation, no sector, network or system is immune from penetration by those who seek to make financial gain, to perpetrate malicious and disruptive activity, or to steal commercial or government secrets and property.”

The budget proposal can be seen as the President putting the money behind his statements regarding the importance of addressing cyberthreats in his State of the Union address as well as the recent Cybersecurity Executive Order.

 

 

 

Yet Another Zip Code Class Action Filed in Massachusetts

Posted By Cynthia Larose on Posted in Class Action Litigation, Privacy Litigation

Written by Amy Malone

Earlier this month, we reported on the privacy case against craft giant Michaels Stores (see our blog post here, as well as our client alert here) in which the plaintiff alleged that Michaels illegally collected zip codes during credit card transactions. The case was ultimately dismissed by the federal district court, but questions of law were sent to the Massachusetts Supreme Judicial Court (“SJC”), including whether zip codes are “personal identification information” under Mass. Gen. Laws ch. 93 § 105. In the Michaels case, the SJC held that zip codes are personal identification information under the consumer protection law relating to credit card transactions.

Another important question sent to the SJC through the Michaels case was whether legal action could be brought under the statute where there was no evidence of identity fraud. The SJC found that a case can be brought even if there is no evidence of identity fraud, as the statute is intended to “address invasion of consumer privacy by merchants…” The SJC listed two specific harms that constitute an injury under the statute:

(a) the actual receipt by a consumer of unwanted marketing materials as a result of the merchant’s unlawful collection of consumer personal identification information; and

(b) the merchant’s sale of a consumer’s personal identification information to a third party.

Both of these injuries are alleged in in two putative class action complaints against defendant Bed Bath & Beyond (“BBB”).  One complaint recently filed by the same plaintiff in the Michaels case, and another filed by by plaintiff Kelley Whiting. Both complaints were filed in federal district court and allege that BBB  violates customers’ privacy by collecting zip codes during credit card transactions. The complaints assert that BBB does not ask customers for their zip codes because the credit company requires the information or for verification purposes, but rather for “its own business purpose.”  The purpose?  The complaints allege that BBB (a) uses that information to identify the customer’s address and/or telephone number, which it locates using commercially available databases, (b) uses the enhanced information for its own direct marketing (i.e. junk mail) and/or (c) sells the information to third parties.

 

Cybersecurity Disclosure: A Panel Discussion with the SEC’s Division of Corporation Finance

Posted By Adam Veness and Cynthia Larose on Posted in Cybersecurity, Data Breach

Last week in Washington, D.C., this author had the opportunity to sit in on a panel discussion by the SEC’s Division of Corporation Finance (“CorpFin”) discussing, among other things, recent developments in cybersecurity disclosure in public company filings.  The panel included CorpFin’s Acting Director Lona Nallengara, Deputy Director of Disclosure Operations Shelley Parratt and others from CorpFin.

One question asked of the panel was whether companies are actually listening to the SEC Guidance issued in late 2011.  The panel acknowledged that it has seen improvement in public company disclosure related to cybersecurity (consistent with what we previously reported here), and that the 2011 guidance is still very relevant.  The panel disclosed that the SEC has issued cybersecurity comments to approximately 50 public companies since issuing its guidance.  Specifically, the panel outlined the three major types of cybersecurity comments that the SEC has issued:

1)     Disclose Specific Cybersecurity Breaches:  Although public companies are beginning to include greater disclosure related to how data breaches could occur, the SEC has issued comments requesting that companies disclose whether data breaches have actually occurred and how the company has responded to such breaches.

2)     Cybersecurity Risks Should Stand Alone:  Often public companies include cybersecurity risks mixed in with other unrelated risk factors, such as risks of terrorist attacks or natural disasters.  The SEC has commented that cybersecurity risks should be broken out separately and stand alone because of the distinct differences between the risk of cybersecurity attacks and the risk of other types of disasters or attacks.

3)     All Material Breaches Should Be Disclosed:  In some cases, a public company has suffered a cybersecurity attack, but has failed to disclose such attack in its public filings.  The SEC has issued comments requesting additional information regarding why the public company does not believe the attack is sufficiently material to warrant disclosure, and if such attack is material, then the SEC has requested that the company include the relevant disclosure in its public filings.

Aside from these three main areas, the panel explained that the SEC is interested in greater disclosure regarding the source of cybersecurity attacks that have occurred, e.g., whether the attack is from a competitor, a foreign government or a hacker group.  The SEC is also interested in instances in which the company was initially unaware of a data breach, but a third-party brought it to the company’s attention.  In these cases, the SEC may request disclosure regarding why the company was initially unaware of the breach.  The panel hinted that the SEC will issue comments this year related to these additional areas of interest.

Notably, the panel cautioned that a public company’s board of directors has oversight responsibility when it comes to cybersecurity, and that federal agencies other than the SEC are also focused on cybersecurity issues.

Based on CorpFin’s panel discussion, it appears that increased cybersecurity disclosure is not just the flavor of the month for the SEC.  Public companies should be proactive in their disclosure of cybersecurity risks and incidents to avoid receiving a comment from the SEC.  Companies should remember that the board of directors has an affirmative responsibility to ensure that the company has adequate cybersecurity protection, procedures and public disclosure in its filings.  Keep an eye out this year for new SEC comments related to the SEC’s additional areas of interest mentioned above.

EU versus Google: A test case for the viability of a global data protection policy?

Posted By Cynthia Larose on Posted in European Union, Privacy Regulation

Written by Susan Foster, Solicitor England & Wales/Admitted in California

(LONDON) The EU has escalated its existing investigation of Google’s global privacy policy, a policy covering all of Google’s services that was introduced by Google last year.  Up until April 3, the French data protection authority, CNIL, had effectively been tasked with engaging with Google in an investigation as to whether Google’s global privacy policy complies with European data protection laws.  Dissatisfied with Google’s response to date, five other data protection authorities from some of the largest EU countries (the United Kingdom, Germany, Spain, Italy and the Netherlands) are now joining France in a coordinated investigation. (The investigation has of course been covered by multiple news sources.  See, for example The Wall Street Journal article here for more information  — and some pithy reader comments.)

The immediate consequences for Google in terms of potential financial penalties are negligible for a company of its size.  Each of the national authorities can levy fines, but they are capped under current law.  For example, the maximum fine in the UK is only £500,000.  Things would be quite different under the proposed Data Protection Regulation, where EU-wide fines could be as high as two percent of worldwide turnover.  See our earlier articles on the draft Regulation here and here.

But pending the introduction of more meaningful fines, the current investigation of Google is about fundamental points of principle (user consent and the viability of a global policy) that could have a widespread effect on companies that do any business with European customers as well as companies with actual operations in Europe.

Google has put together a global policy that attempts to satisfy requirements around the world.  The EU data protection authorities say it isn’t good enough for their residents.  Will Google be forced to adopt potentially more restrictive policies on a global basis in order to satisfy the EU and keep its desired approach of a single cross-service global policy?  Or will Google end up creating a special policy for Europe?  Or will the EU regulators be forced to back down – as might happen, if, for example, Google threatened to curtail EU residents access to certain services if Google’s terms and conditions, including its privacy policies, aren’t accepted in the EU?  (Google is not on the record as having made any such threat, but it’s an interesting scenario to consider.)

Another point of principle that seems to be lurking under the surface of the regulators’ public comments is the question of user consent.  Google asks its users to agree to its privacy policies.  In theory, adequately informed, affirmative user consent should be enough to satisfy the requirements of the current Data Protection Directive.  However, the new draft Data Protection Regulation betrays a deep skepticism on the part of the EU regulators with regard to the validity of user consent – broadly speaking the draft Regulation provides that an imbalance of power between the data subject and the data controller invalidates consent as a basis for complying with the law.  The regulators’ criticism of Google’s privacy policy focuses in part on whether certain terms are clear enough to users.  One might question whether certain terms that seem generally disfavored by EU regulators (like the use of information gathered about a user’s web surfing) can ever be made clear enough to satisfy the EU that their residents have freely given truly informed consent.

At the end of the day, the Google investigation will test the EU’s proposition that it intends to set the gold standard for data protection regulation around the world.  It may also test whether the EU regulators can bring themselves to accept that a vast majority of EU residents might be entirely happy to consent to uses of their personal data that offend the regulators – and that EU residents might actually be fully competent to make that decision for themselves.