In U.S. Regulators, Legislators Fill Privacy Void
June 4, 2013
Over the last few years privacy, and the lack of comprehensive protection, have made numerous headlines. From overly inquisitive mobile applications that fail to disclose how cell photo data is accessed and shared (Path) to handset manufacturers failures to properly inculcate privacy in the design and manufacturing process (HTC) to security lapses at government databases resulting in exposure of sensitive personal information (South Carolina), consumers, regulators and legislators are waking up to privacy issues.
Recent developments highlight the trend in Privacy
In the U.S. we lack a single comprehensive privacy law, although many state and federal laws address various aspects of collecting, storing and sharing personal information. In the absence of a single, over-arching, mandate, legislators and regulators are stepping into fill at perceived need.
GPS, Location & Privacy
The Geolocation Privacy and Surveillance (GPS) Act addresses use of location data by law enforcement. The bill (not yet law) requires police to obtain a warrant based on probable cause whenever it seeks “location information.” Unfortunately, the term “location information” is very broadly defined, does not distinguish requests for access based on the level of precision, time period, or whether the information is for past or future conduct.
Proposed Federal Privacy Standards
Two bills introduced this year aim to create a baseline level of privacy protection at the federal level. John Kerry (D-MA) and Sen. John McCain (R-AZ) introduced S. 799, the Commercial Privacy Bill of Rights Act of 2011, to create a regulatory framework for the comprehensive protection of personal data for individuals, enforceable by the Federal Trade Commission (FTC). Similarly, Rep. Cliff Stearns (R-FL) is promoting a Consumer Privacy Protection Act (H.R.1528), directed at consumers and focused on restricting the sale or disclosure of personal information.
FTC Protects Privacy Under Mantle of Consumer Protection
As a result of alleged data security failures that led to three data breaches at Wyndham hotels in less than two years, the Federal Trade Commission filed suit against hospitality company Wyndham Worldwide Corporation. The case against Wyndham is part of the FTC’s ongoing efforts to make sure that companies live up to the promises they make about privacy and data security.
Wyndham’s web site privacy policy claimed that, “We recognize the importance of protecting the privacy of individual-specific (personally identifiable) information collected about guests, callers to our central reservation centers, visitors to our Web sites, and members participating in our Loyalty Program …”
The FTC complaint alleges that Wyndham failed to maintain adequate and industry standard security measures by storing credit-card information in unencrypted format, allowing servers to remain unpatched, and failing to use firewalls.
The FTC alleges that these failures led to fraudulent charges on consumers’ accounts, millions of dollars in fraud loss, and the export of hundreds of thousands of consumers’ payment card account information to an Internet domain address registered in Russia.
Most notably, the lawsuit will test whether the Federal Trade Commission has the jurisdiction to compel companies to provide a certain level of cybersecurity in order to safeguard consumer personal information.
Privacy Remains Top Concern
Many companies across many industries, financial services, higher education and healthcare, just to name a few, are facing a wide range of security and privacy concerns, scrambling to implement A defensible security framework and demonstrate compliance. It’s alarming, considering the significant consequences associated with not complying.
Organizations can lose contracts, customers and their reputation. That could put some out of business.
Compliance Preparation & Best Practices
Large organizations can spend many months and millions of dollars on compliance. Your business need not go to such extremes. To prevent getting caught by surprise and to prepare for the compliance journey, I’ve listed below some suggested best practices.
Periodic risk assessments. Evaluate potential damage and disruption caused by unauthorized access, use, disclosure, modification, or destruction of data or systems.
Policies and procedures. Incorporate procedures for detecting, reporting, and responding to security incidents, as well as business continuity plans.
Standardize. Set standards of acceptable information security for networks, facilities, and information systems.
Train Employees. Awareness training for employees, contractors, and other users of information systems is critical. Articulate the security risks associated with activities and define users’ responsibility for complying with policies and procedures.
Test & Evaluate. Periodic assessment of the effectiveness of information security policies, procedures, practices, and controls helps determine weak spots. At a minimum they should be conducted annually, according to Ford.
Respond & Repair. Have a pre-defined process for planning, implementing, evaluating, and documenting remedial actions designed to address legal, PR, HR and related risks in the event of a breach.
THIS IS NOT LEGAL ADVICE. The procedures outlined above are merely suggestions and there is no guarantee that implementation will reduce risk or mitigate liability.
Please contact Leavens, Strand, Glover & Adler at 866-734-2568 for a free consultation to learn how LSGA can help meet your specific needs.
The rapid growth and expansion in the mobile market presents a number of privacy and security issues for mobile software and hardware developers, platform operators, advertisers and marketers who collect, store, use and share consumer information. As awareness of privacy risks grow among consumers, legislators and regulators are increasing scrutiny of mobile privacy and privacy policies in mobile apps.
Businesses operating in the mobile industry are facing a widening array of Regulatory compliance issues. Staying abreast of legal risks and issues can be daunting. How can mobile operators and application developers spot trends and adjust strategies to start competitive? First, keep an eye on FTC activity. Second, monitor new bills coming up in Congress. Third, follow this blog, adlerlaw.wordpress.com.
FTC Privacy Enforcement Actions
Earlier this year, the FTC expanded mobile privacy obligations beyond software to include hardware makers when it announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
Congressional Privacy Laws, Bills & Initiatives
Not surprisingly, federal legislators are taking up the mantle of Consumer Privacy in the area of Mobile Applications. In January 2013, U.S. Rep. Hank Johnson, introduced his mobile privacy bill, The Application Privacy, Protection and Security Act of 2013, or the “APPS Act,”. The bill focuses on transparency, user control and security, mandating that an application 1) provide the user with notice of the terms and conditions governing the collection, use, storage, and sharing of the personal data, and 2) obtain the consent of the user to the terms and conditions. Significantly, the privacy notice is required to include a description of the categories of personal data that
will be collected, the categories of purposes for which the personal data will be used, and the categories of third parties with which the personal data will be shared.
The Bill also requires that application developers have a data retention policy that governs the length for which the personal data will be stored and the terms and conditions applicable to storage, including a description of the rights of the user and the process by which the user may exercise such rights in addition to data security and access procedures and safeguards.
App developers unaware of the data protection requirements may face significant risks and potential harm to their reputation among users of smart devices. If you have concerns about what key data protection and privacy legal requirements apply to mobile applications and the types of processing an app may undertake contact us for a mobile app legal audit. Vague or incomplete descriptions of the ways which a mobile app handles data or a lack of meaningful consent from end users before that processing takes place can lead to significant legal risk. Poor security measures, an apparent trend towards data maximisation and the elasticity of purposes for which personal data are being collected further contribute to the data protection risks found within the current app environment.
Learn more David M. Adler here.
AUSTIN, Texas — A divided House vote provides momentum for Texas employees who wish to shield personal text messages, email passwords under a bill backed by Democratic State Rep. Hellen Giddings and given preliminary approval Thursday.
Proponents say Texas workers need the same social media protections provided in several other states. The bill prohibits employers from asking job applicants or employees for passwords to access their Facebook, Twitter or other personal accounts. Opponents argue it will provide “safe harbor” for employees to steal proprietary information at the workplace through their personal accounts.
No specific penalties are spelled out for employers who would violate the law.
The Texas law is another reminder of the ongoing evolution of Social Media law and regulation as legislators and private businesses struggle to understand how these technologies affect everyone’s rights, obligations and remedies.
If you or your business is concerned about social media legal and regulatory compliance, contact David Adler at Leavens, Strand, Glover & Adler. 866-734-2568 dadler@lsglegal.com.
VIDEO: The Evolving Insider Threat- Dawn Cappelli, Randy Trzeciak of CMU’s Insider Threat Center
This video from RSA Conference 2013 discusses:
- Who typically commits insider crimes – and how;
- How employees are being victimized from outside;
- Why our critical infrastructure is at heightened risk.
Even if you are an employer using standard commercial verification measures, you should be cautious about misuse of any information by employees, managers and contractors. Accordingly, you should be careful with training and education and not on only newly-hired employees. Further, plan on how login credential and access to sensitive information will be handled and/or turned over when training or when terminating, suspending, withholding pay, lowering pay, or taking any other adverse action against an employee.
Intel Mobile Device (Photo credit: Frank Gruber)
On February 22, 2013, the FTC announced a settlement with HTC America over charges that HTC failed to use adequate “security by design” in millions of consumer mobile devices. As a result, the company is required to patch vulnerabilities on the devices which include #Smartphones and #Tablets. The settlement, the first action involving a mobile device manufacturer and the new “Privacy By Design” guidelines, sheds some light on the legal risks for mobile device manufacturers and, to some extent, mobile application developers.
The FTC alleged that HTC failed to take reasonable steps to secure the software it developed for its smartphones and tablet computers, introducing security flaws that placed sensitive information about millions of consumers at risk. The resulting vulnerabilities posed risks to sensitive functionality, including the possibility that malware could send text messages, record audio, and install additional malware onto a consumer’s device.
Here are four key take-aways for mobile device manufacturers and application developers from the FTC’s complaint:
- provide your engineering (programming) staff with security training
- review or test your software on mobile devices for potential security vulnerabilities
- follow well-known and commonly accepted secure coding practices
- establish a process for receiving and addressing vulnerability reports from third parties
Smartphones and tablets are powerful, popular, and continue to find their ways into our personal and business lives. New mobile apps hit the market each day. In this fast-moving era of entrepreneurship and creativity, mobile device and app developers need to keep up with evolving privacy and security. Apps and mobile devices that tap into consumer data — including contact information, photos, and location to name a few — pose a heightened risk to digital snoops, data breaches, and real-world thieves.
Please contact us if you are interested in learning how to evaluate your mobile security and privacy risk or to help develop a “Privacy By Design” approach mobile app security.
Please comment, tweet and forward!
Related articles
- FTC moves against mobile device makers over security (networkworld.com)
- AT&T to usher in split-personality mobile devices (reviews.cnet.com)
Managing Risk: Legal Issues for Merchants & Affiliate Managers
February 19, 2013
I will be speaking at Affiliate Management Days SF 2013 (April 16-17, 2013) on the topic of “Managing Risk: Legal Issues for Merchants & Affiliate Managers.”
Affiliate marketing is one of the most cost-effective techniques for monetizing web site traffic and driving sales. Unfortunately, it has a reputation for high risk. While the industry is unlikely to ever be risk-free, it is possible to manage risk by: (1) understanding how techniques like behavioral and contextual targeting affect consumers, affiliates and merchants, (2) understanding the legal and regulatory environment, (3) understating risks involved with prospective marketing partners, (4) using and maintaining proper contracts that allocate risk and provide appropriate indemnifications, and (5) keeping informed about the changes in technology, marketing practices and the regulatory environment. Attendees will learn how to identify these issues and develop policies and procedures to keep informed about the current technology, marketing strategies and regulatory compliance.
Topics covered include:
- Behavioral/Contextual Advertising
- Regulatory/Industry Compliance : FTC Guides & Enforcement Actions
- CAN-SPAM compliance
- IP Law: Rules governing use of others™ Trademarks/Keywords, Right of Publicity/Endorsement Issues.
- Identifying, protecting against, and disputing accusations of Click-Fraud
Geno Prussakov, the Founder & Chair of Affiliate Management Days and the CEO & founder of AM Navigator LLC did a pre-interview with me on Small Business Trends that can be found here.
Related articles
- Bad Affiliate Programs: Cheating and Stealing from Affiliates (earnblogger.com)
Whose Social Media Account Is It Anyway?
December 23, 2012
As a result of the rapid shift in marketing from unilateral one-to-many communications, to the multilateral, many-to-many or many-to-one conversations enabled by Social Media, employees and employers are struggling to manage accounts that are used for both work and personal purposes.
This new phenomenon has benefits, but it also creates a number of legal challenges. For employees, it may result in greater efficiency, more opportunities for authentic customers engagement and the ability to stay on top of the most current grands and business issues. For employers, it presents opportunity to reap substantial benefits from lower communications and customer support costs. For in-house counsel, it raises a host of legal and practical issues with few easy solutions and significant liability and regulatory risks.
First, there are hardware issues. Smartphones, tablets and other personal electronics often have social networking capabilities built in. in addition, they contain contain both personal and business data. Because these devices are always on and always connected, they are more than just personal property. They have become essential business tools. For both sides of the workplace equation, employers and employees must understand where the privacy lines fall between personal versus work-related information.
Second, there are data issues. Employers must balance their needs to monitor employee usage, employees’ privacy concerns, and the risk of liability for theft or exposure of data if a device is lost or stolen, or from lack of proper safeguards on account usage. For in-house counsel tasked with drafting policies to address these risks, , Prior to implementation of any policy, the legal team needs to educate front line employees and management on reasonable expectations of privacy and security and the harms that the organization seeks to prevent.
Lastly, recent cases such as the Cristou v. Beatport litigation, highlight the struggle to define and control the beginning and end of employee social media accounts, ownership and protection of intellectual property and the post termination risks that arise from the absence of appropriate policies.
As we prepare to start a new year, the time is ripe to establish security and privacy policies governing creation, maintenance and use of employees’ social media accounts for work functions. In-house counsel must lead the charge to educate, inform and train employees about privacy, security and evidence-recovery implications associated with use of social media.
HHS Office of Civil Rights (OCR) releases guidance for de-identification under the HIPAA Privacy Rule.
December 13, 2012
HHS has provided guidance about methods and approaches to achieve de- identification in accordance with the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule. The guidance explains and answers questions regarding the two methods that can be used to satisfy the Privacy Rule‘s de-identification standard: Expert Determination and Safe Harbor1. This guidance is intended to assist covered entities to understand what is de-identification, the general process by which de- identified information is created, and the options available for performing de- identification.
FTC Privacy Update: Recent Guidance and Settlements
December 11, 2012
Company Sanctioned for ” History Sniffing”
FTC Settlement Puts an End to “History Sniffing” by Online Advertising Network Charged With Deceptively Gathering Data on Consumers
You know the old adage, the Internet is forever. Well, so is your browsing history, apparently. On December 5, 2012, the FTC announced that an online advertising company agreed to settle Federal Trade Commission charges that it used “history sniffing” to secretly and illegally gather data from millions of consumers about their interest in sensitive medical and financial issues ranging from fertility and incontinence to debt relief and personal bankruptcy.
“Consumers searching the Internet shouldn’t have to worry about whether someone is going to go sniffing through the sensitive, personal details of their browsing history without their knowledge,” said FTC Chairman Jon Leibowitz. “This type of unscrupulous behavior undermines consumers’ confidence, and we won’t tolerate it.”
The defendant, Epic Marketplace shared information with a large advertising network that has a presence on 45,000 websites. Consumers who visited any of the network’s sites received a cookie, which stored information about their online practices including sites they visited and the ads they viewed. The cookies allowed Epic to serve consumers ads targeted to their interests, a practice known as online behavioral advertising.
Mobile Applications (Apps) Continue to Threaten Childrens’ Privacy
Kids’ Data Still Collected, Shared without Parents’ Knowledge, Consent
The Federal Trade Commission issued a new staff report, “Mobile Apps for Kids: Disclosures Still Not Making the Grade,” [PDF here ] examining the privacy disclosures and practices of apps offered for children in the Google Play and Apple App stores. The report details the results of the FTC’s second survey of kids’ mobile apps.
The FTC first surveyed kids’ mobile apps in 2011. Since then there has been little progress toward giving parents the information they need to determine what data is being collected from their children, how it is being shared, or who will have access to it. Many any of the apps examined included interactive features, such as connecting to social media, and sent information from the mobile device to ad networks, analytics companies, or other third parties, without disclosing these practices to parents.
Disturbingly, the shared information included login information across multiple sites, GPs location information and device ID information.
Act Of Uploading Photos To Web Site Is Sufficient to Assign Copyrights
November 21, 2012
website is down (Photo credit: Sean MacEntee)
In today’s business world, web sites are no longer simply a static online presence. Today’s web sites are highly interactive and often make use of content (photos, text, images, videos, etc.) that have bee uploaded by visitors and registered users. With the speed of search engines, social networking platforms and mobile computing technologies, any online problem can quickly have far reaching effects well beyond the initial issue.
In order to ensure that web site operators may make as broad a use of this content as possible and that these web sites do not violate the rights of those whose content has been uploaded, many web site have Terms of Use that contain intellectual property licenses, assignments and indemnifications.
A recent federal District Court in Maryland examined whether the mere act of uploading photographs to a website met the requirements of forming a valid electronic contract sufficient to assign copyrights in the photographs under Section 204(a) of the Copyright Act, which requires assignments to be in writing and signed by the assignor.
In Metro. Reg’l Info. Sys., Inc. v. Am. Home Realty Network, Inc., No. 12-cv-00954 (D. Md. Nov. 13, 2012) the defendant argued plaintiff could not state a claim for infringement on the photographs because the assignments of these photographs to plaintiff were void. Defendant argued that the web site Terms of Use Agreement (“TOU”) and the electronic process in which subscribers assigned copyrights in the photographs to plaintiff did not comply with Section 204(a) of the Copyright Act. The Court disagreed.
The Court first looked at Section 204(a). That section provides that “[a] transfer of copyright ownership, other than by operation of law, is not valid unless an instrument of conveyance, or a note or memorandum of the transfer, is in writing and signed by the owner of the rights conveyed or such owner’s duly authorized agent.” 17 U.S.C. § 204(a). The Court then turned to the Electronic Signatures in Global and National Commerce Act (“E-SIGN”), 15 U.S.C. §§ 7001 et seq., to reject defendant’s argument that the assignments were invalid. E-SIGN provides, in relevant part:
“[n]otwithstanding any statute, regulation, or other rule of law . . . with respect to any transaction in or affecting interstate or foreign commerce–
(1) a signature, contract, or other record relating to such transaction may not be denied legal effect, validity, or enforceability solely because it is in electronic form; and
(2) a contract relating to such transaction may not be denied legal effect, validity, or enforceability solely because an electronic signature or electronic record was used in its formation.
15 U.S.C. § 7001(a).
“The term ‘electronic signature’ means an electronic sound, symbol, or process, attached to or logically associated with a contract or other record and executed or adopted by a person with the intent to sign the record.” Id. § 7006(5). The Court concluded that the TOU was clear in its terms and that the electronic process by which subscribers assigned the copyrights in the photographs met E-SIGN and Section 204(a) requirements. Accordingly, the Court held that the assignments were not invalid as a matter of law.
