Privacy Compliance & Data Security : Data Security Lawyer & Attorney : Fox Rothschild Law Firm : Privacy Rights, Security Breach Responses

XY.com was a magazine that catered to gay teens, a category of users that sought privacy for personal, familial and safety reasons.  The founder of the magazine, Peter Ian Cummings, shuttered the magazine in 2007, the web site in 2009, and the information collected has (presumably) sat dormant since then.

In February of this year, Cummings filed for personal bankruptcy protection.  Although Mr. Cummings had little in the way of assets, he did list the editorial content and users' personal information as a personal asset.  Now, creditors of Mr. Cummings want the users' personal information sold and the proceeds distributed to creditors.

The first question is how Mr. Cummings came to be the owner of the users' personal information.  It is possible that a business entity was never formed, in which case Mr. Cummings may truly be the owner.  It is also possible that a business entity was formed, but later dissolved and the assets distributed to him as an (or the sole) owner of the magazine.  In any event, I expect the first question to be whether the users' personal information should have been listed in his financial statements at all.

Assuming that the users' personal information is properly listed as an asset of Mr. Cummings, we have to wonder how this is different than the toysmart.com bankrupcy case in 2000.  In that case, toysmart.com offered to sell its customer list but backed down after tremendous public pressure and threats from attorneys general of several states.  Maybe the toysmart.com case was more novel at the time (2000) and received more attention because it was something that most people had not considered.  Maybe ten years later the expectation of privacy is actually worse than it was in 2000.  We can only hope that the latter is not the case.

The FTC has come out and said that it strongly objects to any sale of XY.com users' personal information, and has called for the information to be destroyed in the face of the existing (existing at least at the time of collection) XY.com privacy policy.  As reported in an excellent article by CNET, the following is two excerpts sent to attorneys and creditors in the Cummings bankruptcy:

"Due to the nature of the information, the passage of time, and the closure of the magazine and Web site in 2007 and 2009, respectively, the continued use of the data may pose privacy risks not reasonably contemplated by subscribers when they provided the data, and not consistent with their course of dealing with the company."

"With regard to the street addresses collected by XY, many of these were provided by minors living with their parents or others who may have been unaware of their sexual orientation. With the passage of time since the magazine and Web site's demise, many of these minors may have moved. At the time the Web site and magazine were operational, minors who moved, especially those concerned about the confidentiality of their subscriptions, were able to go online to update promptly any change of address. Former subscriber expectations, however, have likely changed over the past several years. They do not expect to receive any future communications from XY. The magazine has ceased publication and has been dormant for three years. The Web site no longer functions, making it impossible to update any changes of address, even if there were an expectation that future communications might occur. Accordingly, any effort to contact former subscribers via mail now carries the risk of unintentionally revealing their sexual orientation to individuals residing at the former subscribers' addresses."

If the bankruptcy judge allows the sale to happen (and ultimately the bankruptcy judge can block the sale, subject to appeal), then anyone can purchase the information.  I am not sure how valuable information that is three years old really is to a company, but we can suppose many examples of where the data could be used for more nefarious purposes.  If a sale does occur, you can expect to see groups bidding for the sole purpose of destroying the information.

It is also possible that a bifucation of the data, namely that information collected online and that information collected offline being treated differently.  The FTC, no doubt, will argue that the online privacy policy applies to information collected offline unless explicitly stated otherwise in the online privacy policy. 

In any event, this particular data is some of the most sensitive data I can imagine, outside of certain crime victims.  I cannot tell you that this issue could have been absolutely drafted around (this is bankruptcy court, after all, and some crazy things happen in the name of protecting creditors), and I also cannot tell you that privacy lawyers do not draft privacy policies everyday with the explicit intent that such data can be sold in bankruptcy proceedings. 

There is pending legislation that could prohibit a transfer just like this.  As noted in a brief but good article on this case at ReadWriteWeb.com, the Online Privacy Act would provide: "A covered entity may not sell, share, or otherwise disclose covered information to an unaffiliated party without first obtaining the express affirmative consent of the individual to whom the covered information relates."  A silver bullet?  No, but it is a good argument to prevent transfers such as the one proposed in the XY.com case.

 At the request of several Members of Congress, the Federal Trade Commission is further delaying enforcement of the “Red Flags” Rule through December 31, 2010, while Congress considers legislation that would affect the scope of entities covered by the Rule. Today’s announcement and the release of an Enforcement Policy Statement do not affect other federal agencies’ enforcement of the original November 1, 2008 deadline for institutions subject to their oversight to be in compliance.

“Congress needs to fix the unintended consequences of the legislation establishing the Red Flags Rule – and to fix this problem quickly. We appreciate the efforts of Congressmen Barney Frank and John Adler for getting a clarifying measure passed in the House, and hope action in the Senate will be swift,” FTC Chairman Jon Leibowitz said. “As an agency we’re charged with enforcing the law, and endless extensions delay enforcement.”

The Rule was developed under the Fair and Accurate Credit Transactions Act, in which Congress directed the FTC and other agencies to develop regulations requiring “creditors” and “financial institutions” to address the risk of identity theft. The resulting Red Flags Rule requires all such entities that have “covered accounts” to develop and implement written identity theft prevention programs to help identify, detect, and respond to patterns, practices, or specific activities – known as “red flags” – that could indicate identity theft.

The Rule became effective on January 1, 2008, with full compliance for all covered entities originally required by November 1, 2008. The Commission has issued several Enforcement Policies delaying enforcement of the Rule. Most recently, the Commission announced in October 2009 that at the request of certain Members of Congress, it was delaying enforcement of the Rule until June 1, 2010, to allow Congress time to finalize legislation that would limit the scope of business covered by the Rule. Since then, the Commission has received another request from Members of Congress for another delay in enforcement of the Rule beyond June 1, 2010.

The Commission urges Congress to act quickly to pass legislation that will resolve any questions as to which entities are covered by the Rule and obviate the need for further enforcement delays. If Congress passes legislation limiting the scope of the Red Flags Rule with an effective date earlier than December 31, 2010, the Commission will begin enforcement as of that effective date.

In the interim, FTC staff has continued to provide guidance, both through materials posted on www.ftc.gov/redflagsrule, and in speeches and participation in seminars, conferences and other training events to numerous groups. The FTC also published a compliance guide for business, and created a template that enables low risk entities to create an identity theft program with an easy-to-use online form (www.ftc.gov/bcp/edu/microsites/redflagsrule/get-started.shtm). The FTC staff also has published numerous general and industry-specific articles, released a video explaining the Rule, and continues to respond to inquiries from the public. To assist further with compliance, FTC staff has worked with a number of trade associations that have chosen to develop model policies or specialized guidance for their members.

As was the case previously, this enforcement delay is limited to the Red Flags Rule and does not extend to the rule regarding address discrepancies applicable to users of consumer reports (16 C.F.R.§641), or to the rule regarding changes of address applicable to card issuers (16 C.F.R.§681.2).

For questions regarding this Enforcement Policy, please contact Naomi Lefkovitz or Pavneet Singh, Bureau of Consumer Protection, 202-326-2252.

The Federal Trade Commission works for consumers to prevent fraudulent, deceptive, and unfair business practices and to provide information to help spot, stop, and avoid them. To file a complaint in English or Spanish, visit the FTC’s online Complaint Assistant or call 1-877-FTC-HELP (1-877-382-4357). The FTC enters complaints into Consumer Sentinel, a secure, online database available to more than 1,800 civil and criminal law enforcement agencies in the U.S. and abroad. The FTC’s Web site provides free information on a variety of consumer topics.

The used photocopier in the CBS story was from the Buffalo, New York Police Sex Crimes Division.  Putting aside that a page was still on the glass of the scanner bought from a used wholesaler, there were also tens of thousands of images detailing confidential police reports, victim statements and investigations.  All of these images were pulled from the hard drive using forensic software available on the Internet.  You have to read this article to believe it.

But what about your business?  You probably don't own your photocopiers, and instead opt to lease or finance copiers that you turn back over after a set number of years.  Do you photocopy medical information, social security numbers or banking/tax information of your employees?  What about your clients?  If you are in the medical field, clearly a problem.  What about CPAs?  Insurance companies?  Almost any business is affected.

If they do not already, I bet litigators reading about this are going to start adding photocopier hard drives to their Requests for Production of Documents.  Talk about smoking guns!

Used copiers go somewhere, and they are generally cheap.  A thief that trades in personal information would certainly be interested in looking into purchasing used copy machines on the chance (likelihood) that personal information is in there (kind of a game of Identity Theft Bingo). 

It is easy to have an alarmist reaction to this news.  Depending on your field, you may want to consider some of the software solutions for this problem (CBS cites Digital Copier Security as a solution vendor).  But everyone is affected, so you are not alone.  Ultimately, your response depends on how much your organization takes the protection of your clients' and employees' confidential information.

Consumers generally have no idea what information or Internet usage habits are being shared, or how it is being shared. Sure, legitimate businesses state clearly in privacy policies and disclosures what is going to happen with your information. Less scrupulous companies lie in those policies and statements. But you don’t read those policies or disclosures. Nobody does.

Consumer/privacy advocate groups do read those policies and disclosures, and they speak for consumers. But the consumer often feels he or she has no real vested interest in the use of the most benign of that information. Why do I care if information about what movies I rent gets made public in an anonymous manner? You probably do not care.

You would care if that information about you concerned your sexual orientation, which is a personal matter that you have felt personal enough to keep to yourself. An exploit in Netflix’s database exposed that information about one woman (according to her), and she sued.

The businesses that make money off of your information and Internet usage habits stand to lose money. Lots and lots of money. Groups like Google, the Direct Marketing Association, Facebook and even those URL shortening services that aggregate data to sell reports on what is hot in Internet traffic.

And the answer for those groups that stand to lose money if the current “opt-out” approach is abandoned? Turn off cookies. Do not sign up for services that disclose personal information in exchange for you to use the providers’ services. The web site will not “function” properly with the cookies turned off? Well, you do not have to use the web site. You do not want anything about your use shared? Hey, don’t use Facebook. You are concerned about law enforcement accessing your Internet history without probable cause or reasonable suspicion of wrongdoing (specifically, without a warrant)? There must be alternatives to Comcast and FIOS, right?

Most people do not want governmental regulation of more and more activities, but most people will also admit that where rights are trampled, government regulation is often the best tool to stamp it out. Most businesses do not want regulation, period.

The debate is going to get heated, it is going to be protracted and it is going to expose who has an interest and what sacrifices (often of others) they are willing to make. We look forward to seeing how the debates unfold. If it is anything like the underreported FTC meeting in Washington almost two weeks ago, the debate will be interesting with no clear winner (unless the status quo remains, in which businesses brokering data continue to win).

Second, DATA would require that those firms that store personally identifiable information to have in place security policies and procedures to ensure that information is adequately protected. These proposed provisions largely track those already in place in the Gramm-Leach-Bliley Act.  The definition of “personal information” in DATA is fairly limited in scope, namely because having too broad of a definition (think of the very broad definition used by the European Union) would lead to over-notification if there is a breach, a possibility many fear would lead to complacency if breach notification becomes an everyday occurrence. The current definition under DATA is: an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number; (ii) driver’s license number or other State identification number; and (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

However, the definition of “personal information” in DATA is no broader with respect to security policies and procedures, meaning that those firms required to have in place security policies and procedures is likewise limited. While there may be a particular concern about imposing (potentially) costly requirements on firms that hold information less sensitive than that in the definition of “personal information,” there will be a push to expand the definition of “personal information” for purposes of security policies and procedures requirements.

Third, DATA has added provisions related to consumers’ ability to review and correct misinformation held by a firm. Similar to the right to review and protest information contained in credit reports under the Fair Credit Reporting Act (PDF link), consumers are allowed to point out incorrect “personal information” a firm maintains. That statement alone raises two major flaws in the current legislation. First, the definition of “personal information” is limited and would only allow a review and correction of highly sensitive information. Under FCRA, any reported information is subject to review and correction. Second, there is no clear direction on what is meant by “maintain.” Does information obtained from clearinghouses constitute “maintaining” that information? Most state statutes are interested in possession and/or use of the data, which is a much clearer standard.

DATA will continue to evolve and be adjusted as interested parties provide feedback and suggestion. Whether DATA is the national privacy law that we are all anticipating and, in many ways, hoping for remains to be seen.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

These "red flags" may include, for example, unusual account activity, fraud alerts on a consumer report, or attempted use of suspicious account application documents. The program must also describe appropriate responses that would prevent and mitigate the crime and detail a plan to update the program. The program must be managed by the Board of Directors or senior employees of the financial institution or creditor, include appropriate staff training, and provide for oversight of any service providers.

As explained by the FTC:
The Red Flags Rules apply to “financial institutions” and “creditors” with “covered accounts.”

Under the Rules, a financial institution is defined as a state or national bank, a state or federal savings and loan association, a mutual savings bank, a state or federal credit union, or any other entity that holds a “transaction account” belonging to a consumer. Most of these institutions are regulated by the Federal bank regulatory agencies and the NCUA. Financial institutions under the FTC’s jurisdiction include state-chartered credit unions and certain other entities that hold consumer transaction accounts.

A transaction account is a deposit or other account from which the owner makes payments or transfers. Transaction accounts include checking accounts, negotiable order of withdrawal accounts, savings deposits subject to automatic transfers, and share draft accounts.

A creditor is any entity that regularly extends, renews, or continues credit; any entity that regularly arranges for the extension, renewal, or continuation of credit; or any assignee of an original creditor who is involved in the decision to extend, renew, or continue credit. Accepting credit cards as a form of payment does not in and of itself make an entity a creditor. Creditors include finance companies, automobile dealers, mortgage brokers, utility companies, and telecommunications companies. Where non-profit and government entities defer payment for goods or services, they, too, are to be considered creditors. Most creditors, except for those regulated by the Federal bank regulatory agencies and the NCUA, come under the jurisdiction of the FTC.

A covered account is an account used mostly for personal, family, or household purposes, and that involves multiple payments or transactions. Covered accounts include credit card accounts, mortgage loans, automobile loans, margin accounts, cell phone accounts, utility accounts, checking accounts, and savings accounts. A covered account is also an account for which there is a foreseeable risk of identity theft – for example, small business or sole proprietorship accounts.

A supplement to the Guidelines identifies 26 possible red flags. These red flags are not a checklist, but rather, are examples that financial institutions and creditors may want to use as a starting point. They fall into five categories:

• alerts, notifications, or warnings from a consumer reporting agency;
• suspicious documents;
• suspicious personally identifying information, such as a suspicious address;
• unusual use of – or suspicious activity relating to – a covered account; and
• notices from customers, victims of identity theft, law enforcement authorities, or other businesses about possible identity theft in connection with covered accounts.

A full list of the 26 possible red flags is set forth below.

It is important that your business, if affected, conforms with the Red Flags Rules.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Alerts, Notifications or Warnings from a Consumer Reporting Agency

1. A fraud or active duty alert is included with a consumer report.
2. A consumer reporting agency provides a notice of credit freeze in response to a request for a consumer report.
3. A consumer reporting agency provides a notice of address discrepancy, as defined in § 334.82(b) of this part.
4. A consumer report indicates a pattern of activity that is inconsistent with the history and usual pattern of activity of an applicant or customer, such as:

a. A recent and significant increase in the volume of inquiries;
b. An unusual number of recently established credit relationships;
c. A material change in the use of credit, especially with respect to recently established credit relationships; or
d. An account that was closed for cause or identified for abuse of account privileges by a financial institution or creditor.

Suspicious Documents
5. Documents provided for identification appear to have been altered or forged.
6. The photograph or physical description on the identification is not consistent with the appearance of the applicant or customer presenting the identification.
7. Other information on the identification is not consistent with information provided by the person opening a new covered account or customer presenting the identification.
8. Other information on the identification is not consistent with readily accessible information that is on file with the financial institution or creditor, such as a signature card or a recent check.
9. An application appears to have been altered or forged, or gives the appearance of having been destroyed and reassembled.

Suspicious Personal Identifying Information
10. Personal identifying information provided is inconsistent when compared against external information sources used by the financial institution or creditor. For example:

a. The address does not match any address in the consumer report; or
b. The Social Security Number (SSN) has not been issued, or is listed on the Social Security Administration’s Death Master File.

11. Personal identifying information provided by the customer is not consistent with other personal identifying information provided by the customer. For example, there is a lack of correlation between the SSN range and date of birth.
12. Personal identifying information provided is associated with known fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is the same as the address provided on a fraudulent application; or
b. The phone number on an application is the same as the number provided on a fraudulent application.

13. Personal identifying information provided is of a type commonly associated with fraudulent activity as indicated by internal or third-party sources used by the financial institution or creditor. For example:

a. The address on an application is fictitious, a mail drop, or prison; or
b. The phone number is invalid, or is associated with a pager or answering service.

14. The SSN provided is the same as that submitted by other persons opening an account or other customers.
15. The address or telephone number provided is the same as or similar to the account number or telephone number submitted by an unusually large number of other persons opening accounts or other customers.
16. The person opening the covered account or the customer fails to provide all required personal identifying information on an application or in response to notification that the application is incomplete.
17. Personal identifying information provided is not consistent with personal identifying information that is on file with the financial institution or creditor.
18. For financial institutions and creditors that use challenge questions, the person opening the covered account or the customer cannot provide authenticating information beyond that which generally would be available from a wallet or consumer report.

Unusual Use of, or Suspicious Activity Related to, the Covered Account
19. Shortly following the notice of a change of address for a covered account, the institution or creditor receives a request for new, additional, or replacement cards or a cell phone, or for the addition of authorized users on the account.
20. A new revolving credit account is used in a manner commonly associated with known patterns of fraud patterns. For example:

a. The majority of available credit is used for cash advances or merchandise that is easily convertible to cash (e.g., electronics equipment or jewelry); or
b. The customer fails to make the first payment or makes an initial payment but no subsequent payments.

21. A covered account is used in a manner that is not consistent with established patterns of activity on the account. There is, for example

a. Nonpayment when there is no history of late or missed payments;
b. A material increase in the use of available credit;
c. A material change in purchasing or spending patterns;
d. A material change in electronic fund transfer patterns in connection with a deposit account; or
e. A material change in telephone call patterns in connection with a cellular phone account.

22. A covered account that has been inactive for a reasonably lengthy period of time is used (taking into consideration the type of account, the expected pattern of usage and other relevant factors).
23. Mail sent to the customer is returned repeatedly as undeliverable although transactions continue to be conducted in connection with the customer’s covered account.
24. The financial institution or creditor is notified that the customer is not receiving paper account statements.
25. The financial institution or creditor is notified of unauthorized charges or transactions in connection with a customer’s covered account.

Notice from Customers, Victims of Identity Theft, Law Enforcement Authorities, or Other Persons Regarding Possible Identity Theft in Connection with Covered Accounts Held by the Financial Institution or Creditor
26. The financial institution or creditor is notified by a customer, a victim of identity theft, a law enforcement authority, or any other person that it has opened a fraudulent account for a person engaged in identity theft.