On June 30, 2015, Connecticut Governor Dannel Malloy signed into law Senate Bill 949, “An Act Improving Data Security and Agency Effectiveness”, a data privacy and security bill that creates stricter data breach response requirements.  S.B. 949 specifies that an entity that experiences a data breach must give notice to those affected no “later than [90] days after discovery of such breach, unless a shorter time is required under federal law.”  Previously, Connecticut law only required entities to provide notice of a data privacy breach to affected individuals “without unreasonable delay.”

During a press conference on June 2, 2015, Attorney General George Jepsen clarified that 90 days is the floor – not the ceiling.  He stated that “[t]here may be circumstances under which it is unreasonable to delay notification for 90 days.”  Projected to become effective October 1, 2015, S.B. 949 also requires entities affected by breaches to provide at least one year of free identity theft prevention services for breaches involving the resident’s name and Social Security number.

[Also posted at http://hipaahealthlaw.foxrothschild.com/]

This case has nothing to do with HIPAA, but should be a warning to zealous covered entities and other types of business entities trying to give patients or consumers more information about data privacy than is required under applicable law.  In short, giving individuals more information is not better, especially where the information might be construed as partially inaccurate or misleading.

The Federal Trade Commission (FTC) filed a complaint against Nomi Technologies, Inc., a retail tracking company that placed sensors in clients’ New York City-area retail stores to automatically collect certain data from consumers’ mobile devices as they passed by or entered the stores.  Nomi’s business model was publicized in a July 2013 New York Times article.  The complaint alleged, among other things, that although Nomi’s published privacy policy stated that Nomi would “allow consumers to opt out of Nomi’s [data tracking] service on its website as well as at any retailer using Nomi’s technology,” Nomi actually only allowed consumers to opt-out on its website — no opt-out mechanism was available at the clients’ retail stores.

The FTC voted 3-2 to accept a consent order (published for public comment on May 1, 2015) from Nomi under which Nomi shall not:

“[M]isrepresent in any manner, expressly or by implication:  (A) the options through which, or the extent to which, consumers can exercise control over the collection, use, disclosure, or sharing of information collected from or about them or their computers or devices, or (B) the extent to which consumers will be provided notice about how data from or about a particular consumer, computer, or device is collected, used, disclosed, or shared.”

The odd aspect of this complaint and consent order is that Nomi did not track or maintain information that would allow the individual consumers to be identified.  The media access control (MAC) address broadcast by consumers’ mobile devices as they passed by or entered the stores was cryptographically “hashed” before it was collected, created a unique identifier that allowed Nomi to track the device without tracking the consumer him/herself.  As dissenting Commissioner Maureen Ohlhausen points out, as “a third party contractor collecting no personally identifiable information, Nomi had no obligation to offer consumers an opt out.”  The majority, however, focuses on the fact that the opt out was partially inaccurate, then leaps to the conclusion that the inaccuracy was deceptive under Section 5 of the FTC Act, without pausing to reflect on the fact that the privacy policy and opt out process may not have been required by law in the first place.

So while many HIPAA covered entities and other businesses may want to give consumers as much information as possible about data collection, the lesson here is twofold:  first, make sure the notice is required under applicable law (and, if it’s not, be sure the benefits of notice outweigh potential risks); and, second, make sure the notice is 100% accurate to avoid FTC deceptive practices claims.

The Security and Exchange Commission’s Office of Compliance Inspections and Examinations (OCIE) recently released an initial summary of its findings from its 2014 OCIE Cybersecurity Initiative.  The OCIE examined 57 registered broker-dealers and 49 registered investment advisers to better understand how broker-dealers and advisers address the legal, regulatory, and compliance issues associated with cybersecurity.

The OCIE Summary made the following observations:

  • the majority of examined broker-dealer and advisers have adopted written information security policies;
  • the majority of examined firms conduct periodic risk assessments to identify cybersecurity threats and vulnerabilities;
  • most of the examined firms reported that they have experienced cyber-attacks directly or through one or more of their vendors; and
  • almost all of the examined firms make use of encryption in some form.

The OCIE also identified key differences in practices between broker-dealers and advisers, including that broker-dealers were more likely to:  (1) incorporate cybersecurity risk policies into contracts with vendors; (2) explicitly designate a Chief Information Security Officer; and (3) maintain insurance for cybersecurity incidents.

FINRA also recently released a Report on Cybersecurity Practices, which presents firms with an approach to cybersecurity grounded in risk management.  FINRA’s Report recommends:

  • a sound governance framework with leadership engagement on cybersecurity issues;
  • risk assessments;
  • technical controls and strategy that fit the firm’s individual situation;
  • testing response plans, which should include containment, mitigation, recovery, investigation, notification and making consumers whole;
  • exercising due diligence when contracting with and using a vendor;
  • training staff to prevent unintentional downloading of malware; and
  • engaging in collaborative self-defense with other firms by sharing intelligence.

For more information and resources related to the SEC and FINRA’s examination of cybersecurity, check out Christopher Varano‘s post on Fox Rothschild’s Securities Compliance blog.

Officials from both the Federal Trade Commission (FTC) and European Union (EU) recently called for enhancements to the Obama administration’s proposed Consumer Privacy Bill of Rights.

The White House’s proposed Consumer Privacy Bill of Rights seeks to provide “a baseline of clear protections for consumers and greater certainty for companies.”  The guiding principles of the draft bill are:  individual control, transparency, respect for context, security, access and accuracy, focused collection and accountability.

But the proposed legislation also seeks to afford companies discretion and flexibility to promote innovation, which some officials argue has led to a lack of clarity.

FTC Chairwoman Edith Ramirez had hoped for a “stronger” proposal and had “concerns about the lack of clarity in the requirements that are set forth.”  However, Chairwoman Ramirez acknowledged the significance of a privacy bill backed by the White House.  FTC Commissioner Julie Brill also expressed concern over weaknesses in the draft, calling for more boundaries.

Likewise, European Data Protection Supervisor Giovanni Buttarelli felt that the proposal lacked clarity and that, as written, “a large majority of personal data would not be subject to any provisions or safeguards.”

To review the administration’s proposed bill, click here.

 

On December 31, 2014, the Federal Trade Commission announced that it approved a final order settling charges against Snapchat.

In its complaint, the FTC charged Snapchat with deceiving consumers over the amount of personal data that it collected and the security measures in place to protect the data from disclosure and misuse.

The settlement order prohibits Snapchat from misrepresenting the extent to which a message is deleted after being viewed by the recipient and the extent to which Snapchat is capable of detecting or notifying the sender when a recipient has captured a screenshot or otherwise saved the message.  Snapchat is also prohibited from misrepresenting the steps taken to protect against misuse or unauthorized disclosure of information.

Finally, the company will be required to implement a “comprehensive privacy program” and obtain assessments of that program every two years from an independent privacy professional for the next 20 years.

In its press release, the FTC noted that its settlement with Snapchat is “part of the FTC’s ongoing effort to ensure that companies market their apps truthfully and keep their privacy promises to consumers.”  For more information from the FTC on marketing apps, click here.

More often than not companies are realizing that they have a consumer provide her information after she has previously opted-out of marketing.  For example, a company collects contact information online, sends a consumer email marketing its services, and she opts-out of further email marketing by following the “opt-out” procedures in that email.  Six months later the same consumer participates in a survey sponsored by the same company, the terms of which state that by participating in the survey the consumer consents to receive further marketing communications from the company.  Is the company bound by the prior opt-out by the consumer, or does her participation in the survey under the rules permitting marketing override the original opt-out?

There is no one size fits all answer to the above situation.  Undoubtedly the company would be in a much better position if there is an unpopulated checkbox on the survey asking the consumer if she would like to receive future marketing.  In that case, there is an affirmative act by the consumer that almost certainly revokes the prior opt-out.

What if the survey terms state not only that by participating in the survey the consumer consents to receive further marketing communications from the company, but also affirmatively states that any prior opt-out shall be deemed revoked by participating.  What if the same type of “if you provide us your information again after opting-out your opt-out shall be void” disclaimer appeared in the company’s Privacy Policy when her information was originally collected?

If your company finds itself in a situation where it is receiving a consumer’s information repeatedly, or it is reasonably likely that scenario could arise, speak with you privacy counsel to discuss your options and the risks associated with each such option.  Planning this scenario in advance will provide your company with much greater flexibility when and if the issue arises.

The Federal Trade Commission recently announced that it settled charges against a health billing company and its former CEO that they misled consumers who had signed up for their online billing portal by failing to inform them that the company would seek detailed medical information from pharmacies, medical labs and insurance companies.

The Atlanta-based medical billing provider operated a website where consumers could pay their medical bills, but in 2012, the company developed a separate service, Patient Health Report, that would provide consumers with comprehensive online medical records.  In order to populate the medical records, the company altered its registration process for the billing portal to include permission for the company to contact healthcare providers to obtain the consumer’s medical information, such as prescriptions, procedures, medical diagnoses, lab tests and more.

The company obtained a consumer’s “consent” through four authorizations presented in small windows on the webpage that displayed only six lines of the extensive text at a time and could be accepted by clicking one box to agree to all four authorizations at once.  According to the complaint, consumers registering for the billing service would have reasonably believed that the authorizations related only to billing.

The settlement requires the company to destroy any information collected relating to the Patient Health Report service.

This case is a good reminder for companies in the healthcare industry looking to offer new online products involving consumer health information that care must always be taken to ensure that consumers understand what the product offers and what information will be collected.

 

This week the Federal Trade Commission (FTC) fined TRUSTe, a company that endorses the data privacy practices of businesses, for misrepresenting its certification programs to consumers. TRUSTe offers Certified Privacy Seals, representing TRUSTe’s guarantee that e-commerce websites, mobile apps, cloud-based services, and child-centric websites are compliant with applicable regulatory mandates and employ best practices in protecting consumer information. To earn a Certified Privacy Seal, businesses must share their data privacy practices with TRUSTe, meet TRUSTe’s requirements for consumer transparency, and allow consumers to choose how personal information is collected and used.

However, once TRUSTe bestowed a Certified Privacy Seal on some companies, the FTC alleges that TRUSTe did little to ensure that these companies continued to follow TRUSTe’s best practices. TRUSTe admitted that it failed to conduct annual audits of previously certified websites, but reiterated that less than 10% of TRUSTe’s certifications were part of this oversight. You can read TRUSTe’s statement on its blog.

So, if you’re a business that deals with consumer personal information, is it worth the time and expense to receive third party certifications like those given by TRUSTe? It depends. Third party oversight may be valuable reassurance for your business, instilling confidence that all best practices and regulatory frameworks are identified and followed. However, don’t rely too heavily on such third party certification. While the FTC was silent on any ramifications for customers of TRUSTe, businesses should engage any third party certification with the mindset that the business itself is ultimately responsible for ensuring its privacy practices follow industry standards and meet all regulatory requirements.

 

On January 21, 2014, the United States District Court for the Southern District of California announced a significant ruling for plaintiffs in data breach cases (Case No. 3:11-02258).  Although the Court dismissed 43 of the Plaintiffs’ 51 claims, the Court allowed certain claims based upon state consumer protection statutes to proceed.  Unlike the rulings in many other data breach cases, the Court found that Plaintiffs alleged a “credible threat” of impending harm as a result of the disclosure of their personal information.  The Court further held that, in order to establish standing, Plaintiffs were not required to allege that their personal information was actually accessed by a third party.  This decision may be a sign that Courts are becoming more willing to allow plaintiffs to overcome the standing hurdle — a hurdle that has precluded many data breach plaintiffs’ claims in the past.

The remaining state consumer protection statute claims are mainly based upon Sony’s alleged misrepresentations about “reasonable security” and “industry-standard encryption.”  The Court found that, “because Plaintiffs have alleged that Sony omitted material information regarding the security of Sony Online Services, and that this information should have been disclosed to consumers at the time consumers purchased their Consoles, the Court finds Plaintiffs have sufficiently alleged a loss of money or property ‘as a result’ of Sony’s alleged unfair business practices.”  In addition, Plaintiffs allege that Sony misrepresented that it would take “reasonable steps” to secure Plaintiffs’ personal information, and that Sony “use[d] industry-standard encryption to prevent unauthorized access to sensitive financial information.” Although Sony defends these allegations by stating that it did not promise any right to so-called “perfect security,” the Court found that whether or not Sony’s representations were deceptive, are questions of fact that cannot be decided on a motion to dismiss.

  •  What should companies learn from this decision?  When making any representation regarding data security including, but not limited to, how a company protects sensitive consumer information, companies must proceed with caution.  These representations must be complete, accurate and made in a non-misleading manner.  Companies should review and update their data security representations on a regular basis.

 

 

On Friday, September 27, 2013, Governor Brown signed California Assembly Bill 370 (AB 370), an amendment aimed at strengthening the state’s Online Privacy Protection Act (CalOPPA), into law. AB 370 requires websites and online services that collect personally identifiable information to disclose how they respond to users’ “do not track” requests. We recommend that our clients revise their privacy policies now, as AB 370 is effective immediately.

Current California Law – Section 22575

Current California law requires that operators of commercial websites and online services conspicuously post a privacy policy. These online privacy policies must outline what personally identifiable information the website collects and identify third parties that may receive this information. California currently defines personally identifiable information as names, contact information, Social Security numbers and any other individually identifiable information that the site collects, including both user-entered data and automatically collected data.

Privacy policies must also indicate whether and how users may review, or request changes to, their personally identifiable information. Information regarding how the website or online service notifies users about changes to the privacy policy must also be included.

Additional Disclosure Provisions

AB 370 does not prohibit commercial websites or online services from tracking and gathering personal information from its users. The bill only requires sites to disclose their “do not track” policies. As such, a site may choose to ignore users’ “do not track” requests and still comply with AB 370 as long as the site discloses this policy.

Under AB 370, the following “do not track” provisions have been added to Section 22575:

  • If a site or online service collects personally identifiable information from users or tracks online activity, the site must disclose how it responds to web browser “do not track” requests and similar signals that users may employ.
  • A site must disclose whether third parties may use the site or service to collect personally identifiable information and information about a user’s online activities over time and across different sites.
  • Sites may include a hyperlink in its online privacy policy that leads to a description of any program or protocol that allows users a “do not track” option.

Although AB 370 is effective immediately, the “do not track” provisions are covered under the Section 22575 safe harbor that gives websites and online services 30 days to cure any defects after receiving notice of noncompliance.

Implications

On its face, AB 370 applies to websites and online services that are visited or used by California residents, not just to those operating in California. Thus, AB 370 will require a change in every online privacy policy that does not already address “do not track” requests, unless California-specific policies are created.