Posted on November 3, 2009 by Mark McCreary

FTC Extends Red Flag Rules Enforcement Until June 1, 2010

The FTC has again extended enforcement of the Red Flag Rules, this time until June 1, 2010.

This extension comes just one day after the ABA won a victory with its request that practicing attorneys be exempted from compliance with the Red Flag Rules.

The extension of the enforcement deadline also comes shortly after certain other exemptions, namely, health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, were passed in the House of Representatives.

Originally, the Red Flag Rules would have taken effect on November 1, 2008, which was then extended to May 1, 2009, and then further extended to November 1, 2009.

Tags: , , , , , , ,
Posted on October 30, 2009 by Mark McCreary

ABA SCORES VICTORY WITH ATTORNEY EXEMPTION FROM RED FLAG RULES

The United States District Court for the District of Columbia ruled that the Red Flag Rules are not applicable to attorneys engaged in the practice of law.

The complaint, filed in late August 2009, argues that the FTC overstepped its statutory authority by imposing the Red Flag Rules on attorneys engaged in the practice of law.

The ruling is another victory by the American Bar Association when it comes to exempting attorneys from rules regarding the handling of financial and/or sensitive information. It would seem that the FTC would have made adjustments to its definitions of “creditor” to make it clear that attorneys should be included in its regulations, but that clarification may need to be addressed at the Congressional level to avoid future ambiguity.

If Congress does present future legislation, or an amendment to existing legislation, that specifically includes attorneys, it will be interesting to see how the ABA argues that attorneys should be exempted from these these types of federal consumer protection statutes.

The BLT: The Blog of LegalTimes reports that it is expected that the FTC will appeal the ruling.

Tags: , , ,
Posted on October 22, 2009 by Mark McCreary

EXEMPTIONS UNDER FTC RED FLAG RULES AMENDMENT PASSES THE HOUSE

Representative John Adler’s (D-NJ) amendment to the FTC Red Flag Rules, an act titled “To amend the Fair Credit Reporting Act to provide for an exclusion from Red Flag Guidelines for certain businesses,” passed the House of Representatives on October 20, 2009.

Currently, the Red Flag Rules go into effect on November 1, 2009.

Set forth in full below, the bill exempts health care practices, accounting practices, legal practices (each with 20 or fewer employees) and certain other businesses approved by the FTC that are engaged in domestic services, engage in services where identity theft is rare and have no incidence of identity theft, from complying with the Red Flag Rules.

The Adler amendment will have little effect on the litigation brought in August by the American Bar Association because of its limited scope.

Tags: , , , , ,
Posted on August 18, 2009 by Mark McCreary

Identity Theft Regulations in Massachusetts May Get Small Business Friendly

The Office of Consumer Affairs and Business Regulations (OCABR) proposed revisions to the Massachusetts’ identity theft regulations, which would take effect on March 1, 2010.

The proposed regulations can be found here (PDF).  A comparison, or redline, of the proposed regulations to the current regulations can be found here (.DOC).  Finally, a set of frequently asked questions (FAQs) regarding the proposed regulations was prepared by the OCABR and can be found here (PDF), and they are certainly worth a read.

Citing a desire to undertake data security as “a risk-based approach that is especially important to small businesses that may not handle a lot of personal information about customers,” the OCABR emphasized that a business should assess the size and nature of the business, the kinds of records maintained and the risk of the business as an identity theft target when deciding its policies and procedures to handle personal information.

Borrowing from the FAQs above, the OCABR cites four major changes under the proposed regulations:

• As noted above, a risk-based approach to information security is adopted (consistent with other state and federal law). This approach is friendlier to small businesses and does not place the same burdens on travel agencies (collecting little personal information) that may be placed on wealth managers (collecting significant amounts of personal information).
• Many provisions that are currently required under a written information security program have been removed (and would be for guidance purposes moving forward).
• The encryption requirement under the current regulation has been tailored to be technology neutral and technical feasibility has been applied to all computer security requirements. Businesses must still use available, reasonable means if they are available.
• Fourth, the third party vendor requirements have been changed to be consistent with federal law.

One aspect that has NOT been proposed to be changed, and the one aspect of Massachusetts’ cutting-edge privacy regulations, and that (in my experience) most often catches business off guard, is that all means of storage of personal information must be encrypted. This includes hard drives, thumb drives, backup tapes and any other method of electronic storage. Although this encryption requirement is almost certainly the direction most states are headed, this requirement is almost unknown outside of the “privacy community.” As with most laws, ignorance of the requirement is not a defense.

Although the future for the proposed regulations is by no means decided, it is likely that some (if not all) of the proposed changes will see the light of day. We will know more after the public hearings on the revised regulations that are scheduled to occur on September 22, 2009.

Tags: , , , , , , ,
Posted on July 1, 2009 by Mark McCreary

Payment Card Industry Data Security Standard Comes to Nevada

Minnesota made waves in 2007 when it became the first state to make part the Payment Card Industry (“PCI”) Data Security Standard applicable to its Plastic Card Security Act ( PDF Link). Although it has taken over two years, Nevada has become the second state to incorporate PCI and it has done so by making all of the PCI standard applicable.

Nevada’s existing Security of Personal Information law now requires that affected parties comply with PCI as a whole. Unfortunately, the Nevada amendment (PDF link) does not get off to a good start, requiring compliance deadlines that do not exist under the PCI standard, but are (in actuality) created independently by the card issuers. Amending the existing Security of Personal Information law, the amendment (PDF link) requires that each affected party meet the following standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

The effect of the amendment itself is quite interesting. First, the amendment creates statutory authority for required compliance with the PCI standard, where before this requirement (as applied to merchants) existed only through contractual relationships. This will be academic for many merchants already complying, but it does go a long way to closing the existing gap whereby the PCI standard applied to merchants only because of contractual obligations with those parties directly affected.

Second, the amendment proposes a standard that creates some interesting outcomes. This safe guard provides that “[a] data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.” Previously, an affected party would have recourse under various theories of law, with varying (and often undefined) standards of care or duty. Arguably, absent gross negligence or willful misconduct, an otherwise PCI-compliant merchant that experiences a data loss may escape liability in Nevada.

It is also likely that a savvy litigator will argue that the standards created in existing contractual relationships should be replaced with the statutory standard. Whether such an argument would prevail remains to be seen, but it is likely to be tested sooner than later.

Notwithstanding the inexplicable compliance deadline error, the Nevada amendment blazes the way for other states to incorporate the PCI standard into their existing and new laws. With the addition of the safe harbor set forth by Nevada, these laws may be a welcome addition to merchants that are PCI-compliant but experience a data loss.

Tags: , , , ,
Posted on May 29, 2009 by Mark McCreary

Data Governance Resource - From the IT Perspective

Microsoft recently announced its new Trustworthy Computing: Data Governance web site at Tech•Ed.

According to Microsoft, it is promoting data governance because:


“Growing public concerns about abuses of consumers’ personal information threatens to curtail the growth of online commerce and services. Data Governance directly addresses these concerns.

Data Governance can reduce an organization’s IT costs and improve its control over its information, which increases data security and privacy and improves responses to changing compliance requirements.

Conversely, poor Data Governance raises the risks of data breaches, including identity theft and fraud, which can erode trust in an organization, trigger financial or legal penalties, or reduce confidence among employees, customers, and investors.”

Although the purpose of the Data Governance web site is to serve as a reference for software and application developers, it is also a good reference to any person involved in developing and maintaining data integrity, security, storage and sharing that contains personal information.

Among other things, the Data Governance web site is a resource for developing data policies, complying with regulatory and best practices requirements, and establishing length of storage issues.

As required by more and more state statutes, Microsoft is promoting the development and implementation of data policies and action plans.

Although the materials are helpful and directed as more of a what-to-do, not a how-to-do it, Microsoft does publish its own standard privacy guidelines, as well as an IT Compliance Management Guide. Although these materials are prepared for Microsoft, and are not applicable to very many businesses, they are good resources for anyone wanting to get a flavor for these types of documents.

Tags: , , , , , ,
Posted on May 14, 2009 by Mark McCreary

European Commission Takes Action on RFID Tags

The RFID (radio frequency identification) camps are many and varied throughout the world. Privacy proponents are calling the security risks from RFID technology monumental and ripe for data and identity theft. The federal government has decided that when coupled with pin codes and/or protective sleeves, RFID technology used in passports and passport cards is safe. The European Commission has said it believes that RFID technology can be safe, provided its new recommendations are followed.

On Tuesday, May 12, 2009, the European Commission adopted a set of recommendations, hoping to ensure that companies involved in the design or operation of RFID products respect the individual's fundamental right to privacy and data protection, contained in the charter of fundamental rights of the European Union. The recommendations can be read in full here (pdf link).

Members of the European Union are required to report back in two years regarding the steps taken to conform to the recommendations, and the Commission will publish a report within three years of its impact assessment and success with implementation to date.

The recommendations require that all operators in the European Union, regardless of whether those operators are subject to other obligations under The EU Data Protection Directive 95/46/EC, comply with its steps set forth in the recommendations. The following are some of the more significant recommendations:

  • Member States should ensure that industry, in collaboration with relevant civil society stakeholders, develops a framework for privacy and data protection impact assessments.
  • Member States should support the Commission in identifying those applications that might raise information security threats with implications for the general public. For such applications, Member States should ensure that operators, together with national competent authorities and civil society organisations, develop new schemes, or apply existing schemes, such as certification or operator self-assessment, in order to demonstrate that an appropriate level of information security and protection of privacy is established in relation to the assessed risks.
  • Without prejudice to the obligations of data controllers, in accordance with Directives 95/46/EC and 2002/58/EC, Member States should ensure that operators develop and publish a concise, accurate and easy to understand information policy for each of their applications. The policy should at least include: (a) the identity and address of the operators, (b) the purpose of the application, (c) what data are to be processed by the application, in particular if personal data will be processed, and whether the location of tags will be monitored, (d) a summary of the privacy and data protection impact assessment, (e) the likely privacy risks, if any, relating to the use of tags in the application and the measures that individuals can take to mitigate these risks.
  • Member States should ensure that operators take steps to inform individuals of the presence of readers on the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders. The sign should include the identity of the operator and a point of contact for individuals to obtain the information policy for the application.
  • On the basis of a common European sign, developed by European Standardisation Organisations, with the support of concerned stakeholders, operators should inform individuals of the presence of tags that are placed on or embedded in products.
  • When conducting the privacy and data protection impact assessment as referred to in points 4 and 5, the operator of an application should specifically determine whether tags placed on or embedded in products sold to consumers through retailers who are not operators of that application represent a likely threat to privacy or the protection of personal data.
  • Retailers should deactivate or remove at the point of sale tags used in their application unless consumers, after being informed of the policy referred to in point 7, give their consent to keep tags operational. Deactivation of the tags should be understood as any process that stops those interactions of a tag with its environment which do not require the active involvement of the consumer. Deactivation or removal of tags by the retailer should be done immediately and free-of-charge for the consumer. Consumers should be able to verify that the deactivation or removal is effective. (Not applicable if the privacy and data protection impact assessment concludes that tags that are used in a retail application and would remain operational after the point of sale do not represent a likely threat to privacy or the protection of personal data. Nevertheless, retailers should make available free-of-charge an easy means to, immediately or at a later stage, deactivate or remove these tags.)
  • Deactivation or removal of tags should not entail any reduction or termination of the legal obligations of the retailer or manufacturer towards the consumer.
  • Members States, in collaboration with industry, the Commission and other stakeholders, should take appropriate measures to inform and raise awareness among public authorities and companies, in particular SMEs, of the potential benefits and risks associated with the use of RFID technology. Specific attention should be given to information security and privacy aspects.
  • Member States should cooperate with industry, relevant civil society stakeholders and the Commission to stimulate and support the introduction of the ‘security and privacy by design’ principle at an early stage in the development of RFID applications.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , ,
Posted on May 7, 2009 by Mark McCreary

Data Breaches Worse Than Thought

There is a very interesting article posted at Nextgov.com regarding major data breaches and thefts.  The article can be found here.

The author, quoting James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, makes the point that the list of breaches would be much larger if smaller breaches were reported.

So how many breaches go unreported?  Well, nobody knows for sure but the number would almost certainly be staggering.  With new federal requirements poised to go into effect, we may start to have a better idea of just how many breaches occur.  At the very least, we may have a way to track those breaches that are actually reported.

Tags: , ,
Posted on May 7, 2009 by Mark McCreary

Data Accountability and Trust Act: Federal Breach Notification, Data Security Policies and File Access Addressed

The U.S. House of Representatives, referred to the House Committee on Energy and Commerce on April 30, 2009, continues to debate, revise and take testimony on a major piece of proposed federal legislation regarding privacy, the Data Accountability and Trust Act (H.R. 2221) (“DATA”).

The proposed DATA legislation has three primary goals. First, DATA would put into place a first of its kind (other than the HITECH Act applicable to medical data, discussed here) federal law regarding the standards for notification of breaches or thefts involving personally identifiable information. DATA would also require that notification be provided to the FTC if there is a breach. Although there is no current requirement of notification to state agencies, DATA does allow state agencies and the FTC to enforce the provisions of DATA. Although almost all states and jurisdictions have data breach notification laws in place, and other states are on the verge of passing new data breach notification laws, a federal law would replace the jumble of standards and reporting requirements. Although privacy proponents summarily applaud the idea of data breach notification standards, fear of putting in place a lower standard than already in place in some jurisdictions continues to cast a shadow over this prospect. As with many state laws, a firm can avoid notifying customers and the FTC if it determines that there is no risk of harm from the breach or theft. This “no risk” standard, however, would be a lesser standard than those states that require reporting regardless of whether there is a risk. Therefore, while preemption is not being dismissed by those following the legislation, a demand for adequate notification standards continues.

 

Second, DATA would require that those firms that store personally identifiable information to have in place security policies and procedures to ensure that information is adequately protected. These proposed provisions largely track those already in place in the Gramm-Leach-Bliley Act.  The definition of “personal information” in DATA is fairly limited in scope, namely because having too broad of a definition (think of the very broad definition used by the European Union) would lead to over-notification if there is a breach, a possibility many fear would lead to complacency if breach notification becomes an everyday occurrence. The current definition under DATA is: an individual’s first name or initial and last name, or address, or phone number, in combination with any 1 or more of the following data elements for that individual: (i) Social Security number; (ii) driver’s license number or other State identification number; and (iii) financial account number, or credit or debit card number, and any required security code, access code, or password that is necessary to permit access to an individual’s financial account.

However, the definition of “personal information” in DATA is no broader with respect to security policies and procedures, meaning that those firms required to have in place security policies and procedures is likewise limited. While there may be a particular concern about imposing (potentially) costly requirements on firms that hold information less sensitive than that in the definition of “personal information,” there will be a push to expand the definition of “personal information” for purposes of security policies and procedures requirements.

Third, DATA has added provisions related to consumers’ ability to review and correct misinformation held by a firm. Similar to the right to review and protest information contained in credit reports under the Fair Credit Reporting Act (PDF link), consumers are allowed to point out incorrect “personal information” a firm maintains. That statement alone raises two major flaws in the current legislation. First, the definition of “personal information” is limited and would only allow a review and correction of highly sensitive information. Under FCRA, any reported information is subject to review and correction. Second, there is no clear direction on what is meant by “maintain.” Does information obtained from clearinghouses constitute “maintaining” that information? Most state statutes are interested in possession and/or use of the data, which is a much clearer standard.

DATA will continue to evolve and be adjusted as interested parties provide feedback and suggestion. Whether DATA is the national privacy law that we are all anticipating and, in many ways, hoping for remains to be seen.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , , , , ,
Posted on April 27, 2009 by Mark McCreary

World Privacy Forum Publishes Top Ten Opt Outs

The World Privacy Forum has published a list of their favorite opt out opportunities.  Click here to review this very helpful list, some of which may be new to you.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Tags: , ,
Posted on April 27, 2009 by Mark McCreary

Privacy in Work-Related Matters Discussed in Social Networking Sites

After years of water cooler whispering (with raised eyebrows) and urban legends of terminated employees, savvy Internet users know not to have any realistic expectation of privacy when it comes to work-hosted email, Internet access and the like.

Is there now cause for concern when it comes to discussing work-related topics on employees’ own time on personally owned computers? The United States District Court for the District of New Jersey is taking up the case right now.

In Pietrylo v. Hillstone Restaurant Group, Docket No. 2:06-cv-05754 (D.N.J. 2008), the plaintiffs allege that their use of MySpace is protected from their employer’s prying eyes. The plaintiffs, Brian Pietrylo and Doreen Marino were terminated by Hillstone, which operates the Houston’s chain of restaurants.

Pietrylo, a bartender at Houston’s in Hackensack, New Jersey, created the MySpace user group “Spec-Tator” for the purpose of current and former employees to “vent” about their experience while working at the restaurant. Allegedly, the user group was created on personal time, and invitations were distributed on personal time. According to Pietrylo, the forum was a "nice place to vent ... without any eyes outside spying on us."

 

One of the persons invited to the user group, which was invitation-only and required a password to enter and view, was Marino. Spec-Tator went as well as most user groups, quickly filling with complaints about the restaurant, the décor and even supervisors. Then a hostess, Karen St. Jean, let one of the supervisors in on the joke. Apparently they all had a good laugh at the site.

Soon after the sharing with a supervisor, another supervisor demanded from St. Jean her username and password to Spec-Tator. Testifying that she feared that her refusal to cooperate would affect her job negatively, St. Jean gave up her username and password. Pietrylo and Marino were fired shortly thereafter. The reason cited for their termination was violation of company policy involving "professionalism and a positive attitude."

The federal lawsuit then followed. The plaintiffs alleged that Hillstone firing them violated their freedom of speech, their common law right to privacy, the Stored Communications Act, and the New Jersey statute on unlawful access to stored communications.

On a motion for summary judgment by Hillstone, the District Court found that there was no violation of the plaintiff’s free speech, but the court did allow the plaintiff’s other claims to move forward. Additionally, the court found that the issues of privacy violations were issues for a jury because they were matters of fact.

The remaining issues appear to come down to whether Hillstone’s management gained access to the user group through coercion (by threatening St. Jean) and, if properly accessed, whether there would still be an expectation of privacy. In other words, if a jury finds that management learned of the user group because it coerced St. Jean into providing access, then there is an argument that information learned cannot be used. The Ninth Circuit has already held that the Stored Communications Act permits those persons with access to password-protected content to share access to any third person (provided that the person is actually a “user” of the site), thereby obviating any expectation of privacy in the speech contained therein. See Konop v. Hawaiian Airlines, Inc., 302 F.3d 872 (9th Cir. 2002) (court held that the Stored Communications Act authorizes users of a web site to give permission to others to access the web site, but must actually access the web site to be a “user” under the Stored Communications Act; absent access, person has no authority to authorize a third party to access the web site).

The issue, stated another way, is that if a speaker manages to conceal his or her speech from unintended ears, then there is a much stronger argument that that speech is private and protected. However, if access to such speech is granted (properly) to those unintended readers, then the expectation of privacy is much lower.

Prior cases demonstrate that the tipping point in work-related, free speech cases dealing with personal time and/or personal computer equipment may be whether there was an explicit policy in place by the employer dealing with speech regarding work and work-related issues.

What policies does your business or employer have in place dealing with your speech on your own time?

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , ,
Posted on April 24, 2009 by Mark McCreary

DNA Databases Greatly Increase in Size in United States

The New York Times is reporting that DNA databases built and maintained by the Federal Bureau of Investigations (F.B.I.) and various states are quickly increasing in size and use.

The debate over whether persons convicted of felonies should have their DNA collected and stored by law enforcement has long been considered decided. Additionally, the collection of fingerprints of persons arrested (but not necessarily convicted) of crimes has also long been considered decided.

However, what about the collection of DNA from persons merely arrested or detained, but not convicted? The F.B.I. and 15 states are going to do just that starting this month, with a vast majority of those persons being suspected illegal immigrants.

The National DNA Index System, initiated under the E-Government Act of 2002, P.L. 107-347, and the accompanying guidelines issued by the Office of Management and Budget (OMB) on September 26, 2003, already contains information on 6.7 million people. The rate of collection is expected by the F.B.I. to increase from around 80,000 persons per year to 1.2 million people per year by 2012, a 17-fold increase, according to The New York Times.

 

According to the article, 35 states require minors to provide DNA samples upon convictions, with some of those states require samples upon arrest. Some 16 states go even further, requiring samples DNA samples from any person convicted of a misdemeanor.

Taking DNA samples is nothing new for residents in Britain. Approximately seven (7%) of Britain residents are in the national DNA database, with approximately one-fifth of those persons not even having a criminal record. 

These numbers become further controversial when you consider that the House of Commons reports that 27% of black residents, and 42% of black males, are in Britain’s database, while only six (6%) percent of persons in the database are white.

Civil liberty experts estimate that practices in the United States may be headed in the same direction, both from a number of persons in the database, as well as in racial disparity.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , ,
Posted on April 21, 2009 by Mark McCreary

European Union Seeks Privacy Enforcement By Britain

As with NebuAd here in the United States, the Phorm service in Europe is under constant and increasing attack.  The business model for both is basically to team up with Internet service providers, track and collect Internet usage data, and then use that information to serve interest-based ads to the Internet user.  Take a trip to a popular gadget web site, and expect to be served advertisements that offer gadgets for sale.  Visit a travel interest web site, and expect to start noticing advertisements from travel sites in other web pages. 

Announcing that the European Union has "opened an infringement proceeding" to investigate Phorm’s activities, the European Union's Commissioner for Information Society and Media, Viviane Reding, said in a video message that "European privacy rules are crystal clear: a person's information can only be used with their prior consent. We cannot give up this basic principle, and have all our exchanges monitored, surveyed and stored in exchange for a promise of 'more relevant' advertising! I will not shy away from taking action where an EU country falls short of this duty."

The legal action commenced by the European Union basically consists of an inquiry and warning to Britain, inquiring into Britain’s interpretation of the privacy regulations and rules in place, and an explanation of how operations by Phorm comply with those privacy regulations and rules.  In other words, the European Union wants Britain to explain why it has not commenced any action against Phorm.  Britain has two months to respond, and additional inquiries and warnings may follow before the European Union forces Britain into court.

 

These recent concerns about Phorm are based on unannounced trials conducted on unsuspecting users in 2006 and 2007.  Although the service claims to have not stored or shared any information that could identify a user, and although further trials involved consent from persons invited by invitation, the European Union seeks investigation on the actions in 2006 and 2007.

In her press release, Commissioner Reding summarizes the applicable European law:

The EU Directive on privacy and electronic communications requires EU Member States to ensure confidentiality of the communications and related traffic data by prohibiting unlawful interception and surveillance unless the users concerned have consented (Article 5(1) of Directive 2002/58/EC).  (The EU Data Protection Directive specifies that user consent must be ‘freely given specific and informed’ (Article 2(h) of Directive 95/46/EC).  Moreover, Article 24 of the Data Protection Directive requires Member States to establish appropriate sanctions in case of infringements and Article 28 says that independent authorities must be charged with supervising implementation. These provisions of the Data Protection Directive also apply in the area of confidentiality of communications.

Commissioner Reding also indicated that social networking sites, like Facebook, MySpace and Friendster, must safeguard and reinforce privacy protection online: "Privacy must in my view be a high priority for social networking providers and their users. I firmly believe that at least the profiles of minors must be private by default and unavailable to internet search engines. The European Commission has already called on social networking sites to deal with minors' profiles carefully, by means of self-regulation. I am ready to follow this up with new rules if I have to."

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , , , , , ,
Posted on April 15, 2009 by Mark McCreary

Stolen Personal Data Continues to be Lucrative

Symantec Corp. has released its Internet Security Threat Report Volume XIV, and the news is excellent for thieves of personal information.  Symantec reports that the income received by sellers of stolen personal information continues to be high. 

Credit card information continues to reign supreme, generating from $0.06 to $30.00 per record, while access to email accounts, access to proxies and shell scripts saw the biggest rises from 2007 to 2008.

A recent article by the Associated Press focuses on economic factors related to the trading of stolen personal information.  Citing reasons ranging from the bottoming out of the prices, to sellers of stolen information not want to undercut each other, to the difficulty in getting PIN codes and security codes, to the renewed efforts to scam information because of a failing economy, the article explains why prices are holding steady even though thefts are increasing.

However, the most interest statistic may relate to so-called phishing scams.  A study from Gartner estimated that more than 5 million persons in the United States were the victim of a phishing scam between September 2007 and September 2008, representing a forty (40%) percent increase over the prior twelve months. 

Reports also indicate that the trading in financial information has become so lucrative, and apparently relatively easy, that “gangs” of hackers and traders have become more common and visible. 

What this means is that one or both of these two things are happening: (1) those persons that set up phishing scams are getting even better at tricking unsuspecting people into providing their personal information, and (2) Internet users are not being nearly vigilant enough when it comes to “clicking” on emails and providing personal information online.

Issues from businesses are dramatic:

- Are employees falling for phishing scams on work computers, possibly allowing the installation of malicious software

- Are you customers being duped into thinking that your business is communicating with them (which begs the question of whether you have educated your customers about information you collect through email links)

- Are you accepting payments that do not conform to the PCI Standards and/or do not request enough information to ensure that you payees are who they say they are

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.

Tags: , , , , , , ,
Posted on April 15, 2009 by Mark McCreary

European Telecoms and ISPs Start Storing User's Internet Data

Starting April 6, 2009, European Union telecommunications companies and Internet service providers (ISPs) suddenly found themselves required to store even more data about their users.

Under existing requirements under the 2006 Data Retention Directive, telecommunications providers are required to retain records (when calls were made and the origination/destination details) regarding telephone calls made over their lines.

Now, The Data Retention Regulations 2009, those European telecommunication providers, and for the first time some ISPs (other than ISPs that also provide voice over IP services, which have always been covered), must retain details of Internet traffic and electronic mail transmissions for a period of six (6) to twenty-four (24) months from origination.  The United Kingdom has determined that the period of retention shall be twelve (12) months.  Sweden has threatened to “ignore” these new requirements.

Although the new regulations do not require the retention of the actual data (i.e., the telephone conversations, Internet content or the electronic mail content), affected European telecommunication providers and ISPs must retain the details of the transmissions (e.g., origination and destination telephone numbers, length of telephone calls, IP address of the user, but not the destination IP addresses, and electronic mail addresses, time of transmission).

 

The new requirements do not require retention of Internet data by all European telecommunication providers and ISPs.  Rather, providers must only retain this information when it is notified by the Secretary of State.  However, the existing requirement to retain records (e.g., when calls were made and the origination/destination details) regarding telephone calls made over their lines remains unaffected.

Government officials in the United Kingdom will be able to exercise powers under the Regulation of Investigatory Powers Act of 2000 (RIPA) to seek a court order for the release of the information stored under the revised Directive "for the purpose of the investigation, detection and prosecution of serious crime, as defined by each Member State in its national law.”

Opponents of the new regulations speculate that this is another step toward a nationalized database, permitting governmental agencies to determine where a person was situated (whether telephonically or on the Internet) at any given time.  Proponents counter that the content is not recorded, and that the information can only be accessed when it is necessary and proportionate to make such collection.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , , , ,
Posted on April 13, 2009 by Mark McCreary

Published on MySpace Means No Expectation of Privacy

A young woman in Coalinga, California, following a visit home from college, penned to her MySpace page “An ode to Coalinga” (the “Ode”).  The Ode opens with “the older I get, the more I realize how much I despise Coalinga” and then proceeds to make a number of extremely negative comments about Coalinga and its residents.  She removed the Ode from her MySpace page within six days of posting it.

However, during the six days that the Ode was posted on MySpace, the principal of Coalinga high school discovered the Ode and sent it to his friend, the editor of the local paper, the Coalinga Record.

The editor of the Coalinga Record republished the Ode as a “Letter to the Editor,” adding the author’s last name (which was not present on the MySpace page).  The author and her family received death threats, and a shot was fired at the family home, forcing the family to move out of Coalinga.  Due to severe losses, her father closed the 20-year-old family business.

The California Court of Appeal, in Moreno et al. v. Hanford Sentinel, Inc., et al., F054138, slip op. (Cal. Ct. App. April 2, 2009) (PDF link) ruled that the principal did not invade the author’s privacy when he handed it over to the Coalinga Record.  The court further held that the editor of the Coalinga Record did not violate the author’s rights when it published her full name.

 

When posting material to MySpace, a user’s expectation of privacy is diminished if not obviated, depending on the circumstances.  Although the court’s opinion does not make it clear, it appears that the author’s Ode was available to any person viewing her MySpace page (versus her granting access to only a small group of people).  The court was not moved by the argument that only a limited audience would have viewed her posting.  “Here, Cynthia publicized her opinions about Coalinga by posting the Ode on myspace.com, a hugely popular internet site.  Cynthia’s affirmative act made her article available to any person with a computer and thus opened it to the public eye.  Under these circumstances, no reasonable person would have had an expectation of privacy regarding the published material.”

Removing the Ode only six days of publication also did not help to regain some sort of privacy.  “That Cynthia removed the Ode from her online journal after six days is also of no consequence.  The publication was not so obscure or transient that it was not accessed by others.”

The court also found that although the author’s last name was not published on her MySpace page, her identity was easily ascertainable.  The court wrote:

Campbell was able to attribute the article to her from the internet source.  There is no allegation that Campbell obtained Cynthia’s identification from a private source.  In fact, Cynthia’s MySpace page included her picture.  Thus, Cynthia’s identity as the author of the Ode was public.  In disclosing Cynthia’s last name, Campbell was merely giving further publicity to already public information.  Such disclosure does not provide a basis for the tort.

The case was remanded in order to address the claim of intentional inflection of emotional distress, but the ruling on privacy is intact.

This case is a wonderful example of Web 2.0 users losing the right to keep their thoughts private once they publish their thoughts online.  What is unclear, and the “gray area” that will continue to develop, is whether publication to a select group, or publication with privacy setting activated that prevent the general public from viewing the content, constitutes a waiver of privacy with respect to that material.

Regardless of any gray area, the lesson is clear.  Publication, possibly even to a limited group, raises the risk that the author waives all right to privacy in that work.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , ,
Posted on April 10, 2009 by Mark McCreary

Proposed US Law Would Permit Government to Shut Down the Internet

The Cybersecurity Act of 2009 (PDF link), introduced by Senators John Rockefeller (D-W. Va.) and Olympia Snowe (R-Maine), in no April Fool’s joke.  The proposed law would give President Obama have the power to shut down domestic Internet traffic (services, applications and software) during a state of emergency.  The Committee on Commerce, Science and Transportation will take up this proposed law.

The proposed law would create the Office of the National Cybersecurity Advisor, which would be an extension of the executive branch that would have broad power to control and monitor Internet traffic to protect against cybersecurity threats.  Furthermore, the Commerce Department would be given the ability to bypass every existing law regarding privacy, and access any relevant information regarding citizens and businesses use of the Internet while investigating cybersecurity threats (real and perceived).

The proposed law makes no clear indication of what is meant by the phrases “critical information network” or a “cybersecurity emergency,” instead (broadly) leaving that interpretation to the president.  The Secretary of Commerce would have “access to all relevant data concerning [critical] networks without regard to any provision of law, regulation, rule, or policy restricting such access.”

 

Under existing laws, law enforcement must obtain a warrant (and meet the requisite legal standards) before accessing data transmissions over the Internet.  These requirements under the Electronic Communications Privacy Act (ECPA) would, effectively disappear if the powers under the proposed law are exercised.

The proposed law would also create a public-private clearinghouse for cybersecurity threats and information regarding discovered vulnerabilities under authority of the Department of Commerce.

Finally, proposed law would also put in place mandates for designated private networks and systems, including standardized security software/testing/licensing, and professional licensing program for certifying who can serve as a cybersecurity professional.

But Senators Rockefeller and Snowe offered no apologies.  "It's an understatement to say that cyber-security is one of the most important issues we face; the increasingly connected nature of our lives only amplifies our vulnerability to cyber-attacks and we must act now. …We must protect our critical infrastructure at all costs—from our water to our electricity, to banking, traffic lights and electronic health records—the list goes on," Rockefeller said in a statement.

Snowe supported Rockefeller’s comments, saying, "America's vulnerability to massive cyber-crime, global cyber-espionage and cyber-attacks has emerged as one of the most urgent national security problems facing our country today. Importantly, this legislation loosely parallels the recommendations in the CSIS [Center for Strategic and International Studies] blue-ribbon panel report to President Obama and has been embraced by a number of industry and government thought leaders. …If we fail to take swift action, we, regrettably, risk a cyber-Katrina."

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , , , , ,
Posted on April 8, 2009 by Mark McCreary

Death of University Student Call Into Questions Privacy Issues

An early March death of a University of Kansas student has many colleges and universities rethinking privacy policies regarding their students.

Recent news reports indicate that Jason Wren, a 19 year-old student from Colorado was ejected from university housing after repeated infractions involving alcohol. Reportedly, the university’s policy regarding its students’ privacy prohibited the disclosure of the basis for his removal from university housing to Mr. Wren’s parents.

On March 8, 2009, Jason Wren was found dead in his bed at a fraternity house in Lawrence, Kansas. The Kansas City Star reported that Jay Wren, the father of the deceased student, indicated that the university would not disclose to him the basis for his son’s removal from university housing. The Star further reported that Mr. Wren said he would have pulled his son out of school if he knew of an alcohol problem.

Kansas University has reported that it is examining the privacy issues (and policies) currently in place. Apparently the university will be examining whether any changes can or should be made to the policy, in light of these recent events.

Kansas University will have to take into consideration requirements imposed when financial aid from a program administered by the U. S. Department of Education is involved when making decisions regarding privacy. Generally speaking, under the Family Educational Rights and Privacy Act (FERPA), parents’ right to learn certain (private, in most cases) information regarding their children unless the child specifically permits it.

The death of this student may be a wake-up call for many colleges and universities, as well as other organizations in similar situations. The opportunity to review the implications of the consequences of privacy policy provisions should not be overlooked. Although many institutions (admirably) want to protect the privacy of their patients, students and guests, decisions regarding privacy protection do not exist in a vacuum, as is well demonstrated by this case.

Mark McCreary is a partner in Fox Rothschild's Corporate Department, specializing in privacy and Internet law. If you have questions regarding this post, or any other privacy matter, you may contact Mark at (215) 299-2010 or mmccreary@foxrothschild.com.
Tags: , , , , ,
Posted on April 7, 2009 by Mark McCreary

Welcome to the Privacy Compliance and Data Security Blog

We are pleased to announce and launch Fox Rothschild’s Privacy Compliance and Data Security Blog. With a new President, a new national mission throughout government to secure and protect personal information and prevent cyber threats, as well as quickly evolving privacy requirements here and abroad, there could not be a better time to think about data privacy.

We decided to create this blog so that our clients and friends would have timely access to current, pending and anticipated requirements on such issues as privacy compliance, data security and breach notification. Although we do not expect every topic on our blog to be important to you, we hope to provide our readers with information regarding a wide array of issues and developments that are relevant in today’s world.  While you may be reading our blog because you want to ensure that your business complies with applicable laws, privacy laws and practices effect all of our daily lives on business, personal and professional levels. Whether you find your business responding to a data breach, or you are concerned about more closed-circuit cameras in public places and less personal restraint on online social networks, our blog may be helpful to you.

We encourage active discussion and an exchange of ideas on our blog. We hope that your visit to our blog stimulates news ideas and initiatives.  Whether you decide to share your ideas with us, or simply review our posts, we appreciate your participation. Please sign up for either our RSS feed or email alerts.

Mark McCreary
215.299.2010
mmccreary@foxrothschild.com

Amy C. Purcell
215.299.2798
apurcell@foxrothschild.com

Scott L. Vernick
215.299.2860
svernick@foxrothschild.com

Tags: , , , , , , , , ,