|
||||||||||||||||||||
PRIVACY
& INFORMATION LAW UPDATE |
||||||||||||||||||||
|
||||||||||||||||||||
|
||||||||||||||||||||
Kiss My Phone! The proliferation of smart phones and other mobile devices has fueled a steady march away from brick and mortar to mobile commerce and transactions. The underlying technology promises to yield previously unimagined enterprise and consumer applications, and growth opportunities for businesses in the evolving ecosystem: mobile device manufacturers, merchants, financial institutions and the payment card industry, developers, and social platform, content and network service providers. However, uncertainties about system interoperability, market fragmentation, the definition of money, application of existing consumer protection laws, and even the use of the current patent registration and protection framework as a litigation strategy create potential risk. When it comes to uncertainty and risk, privacy and data security tops the list. A key concern is whether the current privacy regulatory framework in the U.S. provides adequate guidance to businesses in this nascent industry to assess, plan for and address risk. Some businesses that engage in traditional activities may already be subject to existing privacy and data security laws. Examples include mobile carriers, financial services institutions, merchants or website operators. It is less clear whether they remain so, or how those laws might apply when they engage in activity that strays from the traditional, or share data with other actors, including developers, marketers or content providers. Similar ambiguities exist in connection with other entities, including a growing number of non-bank entities that process payment. A case can be made that existing privacy laws and regulations already govern compliance obligations, including those arising from these relationships. However, the absence of clear guidance from regulators and the courts could exacerbate risk and result in barriers to entry that impede innovation or growth. Not surprisingly, these issues have drawn the attention of federal and state enforcement authorities, policymakers, privacy advocates and privacy class action lawyers. Standards organizations and industry groups are developing guidelines and best practices to promote consumer trust in mobile payment applications and merchant processing security. Companies competing to establish or protect market share, and market products and services to consumers, must understand how the relationships and interactions in the mobile transactions ecosystem give rise to privacy and data security risk, and then formulate and adopt responsive legal strategies. Background Simply put, a mobile transaction involves a remote or point-of-sale payment for goods or services, or other currency transfers, by using a mobile device such as a smart phone. Payments can be used to purchase and validate tickets, preload gift or loyalty cards, purchase credits or transfer funds, including from one person to another. 1. Remote Mobile Payments Remote mobile payments use SMS (an early solution that enabled mobile payments not only for goods and services but also for charitable giving), or the wireless application protocol (WAP) for transactions that can be accomplished from any location and at any time. In SMS-based person-to-business transactions, a customer typically creates an account with a mobile payment service provider and links a payment (credit, debit or prepaid card) to that account. The customer and the payment provider communicate by text message, exchanging such information as purchase amount, authentication information, transaction/purchase amount confirmation, and payment notification. Payment is accomplished when the payment provider transfers the transaction amount to the merchants account. The payment provider notifies the merchant of payment, who then moves the funds electronically to a bank account or requests another form of payment from the payment provider. In an SMS-based charitable donation transaction, the amount is billed through a mobile carrier and appears on the consumers phone bill. In a WAP-based transaction, the customer accesses a merchants web site using phones mobile browser to make purchase that resembles a traditional online transaction on a merchants website. The payment provider can test a payment application or provide a downloadable form on a web page to enable purchases. 2. Point of Sale Mobile Payments Point of sale (POS) or proximity payments use Near Field Communications (NFC), a limited-range wireless technology that enables the exchange of data between a phone and a microchip or similar technology embedded in a mobile device and a POS terminal. The chip contains customer payment account information. NFC enabled transactions are billed to a linked payment card, including loyalty or gift cards stored in the device. Payment cards can also be stored in a mobile wallet -- a type of smartphone app -- in a mobile device. NFC equipped phones can be used in retail outlets, public transportation settings, or parking meters. In an NFC based transaction, a customer typically moves or taps their mobile phone near or against the POS terminal. The terminal reads the phones NFC chip, its UDID and a unique code for the transaction known as a cryptogram; the terminal sends this data to the merchants bank. The merchants bank sends the transaction data to the customers bank, which uses the cryptogram to authenticate the phone and identify the customers account from which payment is to be authorized and made. The customers bank declines or authorizes the transaction. If authorized, funds are transferred and the transaction is complete. Other POS payment technology enables phone-to-phone, bar code scanning, card reading or credit card processing and management technology to make person-person transfers or purchase an item at a business. Privacy & Security: Something to Think About As shown above, the mobile transactions ecosystem consists of many actors and interactions among them. These businesses can track a users location on the device itself or through apps that can share or otherwise capture and disclose location, payment and other information, including highly sensitive information about a specific user. This data can be used for geofencing and for serving targeted ads. It is attractive to government authorities because it can be used for law enforcement investigations. Questions about data ownership, control, liability for noncompliance with privacy law and government access abound. There are also a number of complex data security risks posed by the lack of standards, the number of actors, the location in which user data is stored (in the cloud or on a mobile device) and possibly even the devices or platforms themselves. For example, one benefit of fragmentation is that there is no preferred platform for mobile transactions; if and when there is, they will be targeted for malware by cybercriminals. The evolving body of law and industry standards that addresses Internet security may or not be a good fit in this context. The Payment Card Industry Data Security Standards Council recently issued guidelines that are intended to promote data security for mobile transactions. The guidelines call for proper implementation of robust security protocol. Nevertheless, there are some practical uncertainties. Some include: 1) whether, to what extent, and to whom contractual obligations and protections apply among providers and to consumers; and 2) how contractual and statutory obligations coexist. Conclusion In order to minimize risk and encourage wide scale adoption of mobile transactions, businesses will have to adopt a multi-pronged approach to address the privacy and data security issues outlined above. Part II of this series will discuss policy trends and the potential application of existing privacy law to mobile transactions, and how they might inform such an approach, along with some practical tips for minimizing risk. |
||||||||||||||||||||
Online
Behavioral Advertising Accountability Program Faults Kia Motors for Noncompliance
With Self-Regulatory Principles The Transparency principle is intended to ensure that consumers are provided adequate notice about behind the scenes OBA data collection and use. Third parties, such as ad networks, are required to provide enhanced notice whenever they collect data to serve an OBA ad as part of an online advertising campaign. As explained in the decision, enhanced notice is provided through a clear, meaningful and prominent link (i.e., the enhanced notice link) from the Web page on which the third party is collecting data for OBA purposes or serving an advertisement based on user interests inferred from a users Web browsing activities. The link directs the consumer to information about the third-partys OBA data collection and use practices and an opportunity to exercise choice. The Digital Advertising Alliances (DAA) Advertising Option Icon frequently serves as the link to an OBA disclosure and opt-out tool. Consumers can click on the Icon to find out more about the OBA ad that was served and opt out. The Accountability Program visited KIAs website using various web browsers. Third parties known to engage in OBA were observed collecting user data through tracking pixels embedded throughout the sites. During the same browsing sessions the Program visited non-affiliated websites where the Program was served ads for KIA vehicles. According to the decision, the ease with which the Accountability Program was able to reproduce the experience on different devices using different browsers appeared to indicate that the KIA ads it was served were likely the result of our recent visit to the website and therefore were tailored to us because of our recent browsing history. None of the ads delivered to the Accountability Program during the tests provided enhanced notice. The failure to do so was determined to have violated the Transparency principle. Accordingly, formal inquiries were initiated with the companies observed to be in the ad serving chain about their roles in serving the ads. The Accountability Program also initiated a formal inquiry with KIA to determine why the ads did not contain the required enhanced notice. In response, KIA initiated its own investigation. The company subsequently instructed its ad agency to: 1) implement measures to ensure that all OBA ads in KIA ad campaigns are served in compliance with OBA principles, and 2) direct all third-party ad networks to include the DAA AdChoices Icon on all interest-based ads served in those campaigns. KIA also informed the Accountability Program that it is in the process of licensing the AdChoices Icon in order to serve the Icon itself instead of relying on third-party ad networks to do so. This decision appears to put major brands on notice that they can be held accountable under the OBA Self-Regulatory Principles, including for the actions of their ad agencies and other companies involved in their OBA campaigns, even if those brands have not represented that they participate in the self- regulatory program. |
||||||||||||||||||||
U.S.
Supreme Court to Review Drivers Privacy Protection Act Litigation
Exception The Respondents, South Carolina class action lawyers, obtained information under South Carolinas Freedom of Information Act from the state DMV about thousands of people who had purchased cars from local car dealers. The data included buyers names, addresses, phone numbers, and vehicle purchase information. The lawyers used the data to identify potential plaintiffs for several class actions that had been or were in the process of being initiated against the car dealers under a state consumer protection statute. The buyers received solicitations from the class action lawyers, who invited the buyers to become plaintiffs in the lawsuits. The buyers subsequently brought suit2 in federal district court alleging that the class action lawyers impermissibly obtained their personal information without their consent and used it in violation of the DPPA. The Court granted summary judgment in favor of the lawyers, holding that they did not solicit the buyers in violation of the DPPA, and that their use of the buyers driver records was permissible under the DPPAs litigation exception. The U.S. Court of Appeals for the Fourth Circuit affirmed, finding that the solicitations were "inextricably intertwined" with the original lawsuits. The Fourth Circuits decision conflicts with decisions in other circuits, including the Eleventh and Third Circuits, on whether lawyers may obtain information protected under the DPPA for the sole purpose of soliciting plaintiffs, and what the appropriate test should be for when DPPA protected data may be used. According to the schedule set by the Supreme Court, briefing will conclude in December. The case is expected to be argued this spring.
1 18 U.S.C. §§2721-2725. In Reno v. Condon, 528 U.S.
141 (2000), the DPPA was found to be a constitutional exercise of Congressional
authority to regulate Interstate Commerce. |
||||||||||||||||||||
FTC Settles
Rent-To-Own Spying Cases Specifically, the FTC alleged that DesignerWare developed and licensed PC Rental Agent and an add- on, Detective Man, to the rent-to-own stores. The software collected usernames, passwords, medical records, social security numbers, and photos. The FTC also alleged that PC Rental Agent tracked the computers locations by logging the computers Wi-fi hotspot locations. The location data was sent to DesignerWare, who cross-referenced the locations with public data to ascertain the computer users physical addresses and sent the information to the rent-to-own companies. The FTC further alleged that DesignerWare tricked users into providing their physical addresses and personal contact information by using a fake software registration window. The proposed settlement orders ban DesignerWare and the seven rent-to-own stores from using monitoring software like the programs in this case. The FTC defined terms monitoring technology and geophysical location tracking technology so that the software covered by the orders is clearly understood. Thus, monitoring technology is defined as any hardware, software, or application utilized in conjunction with a computer that can cause the computer to:
The definition of geophysical location tracking includes the reporting of GPS coordinates, WiFi hotspots, or telecommunications towers all technologies that allow for a relatively precise location of the item tracked. The DesignerWare and the stores will be prohibited from using geophysical location tracking software without notice and consent. DesignerWare will also be barred from employing deceptive practices to collect personal information from consumers, such as using fake software registration screens, and the seven rent-to-own stores will be prohibited from using improperly gathered consumer information in connection with debt collection. The proposed settlements also contain record keeping requirements that allow the FTC to monitor compliance with the orders for the next 20 years. The
principles underlying this settlement can be extended to practices that
are not as egregious as those alleged by the FTC in this action. Other
rent-to-own or similar businesses that collect customer data for example
automobile or car sharing -- should be familiar with the proposed settlement
orders and the FTCs analysis
of them. They should also undertake a comprehensive evaluation of their
data collection, sharing, use and retention practices to make sure those
practices are aligned with the outcome in this case. |
||||||||||||||||||||
U.S.
Department of Energy Announces Smart Grid Privacy Multistakeholder Process
The U.S. Department of Energy (DOE) has announced that it will initiate a multistakeholder process to develop a Voluntary Code of Conduct (VCC) for utility and third parties providing consumer energy use services. According to the announcement, the voluntary codes will address customer data privacy policies related to information collectedincluding energy usage informationby and through the developing smart grid infrastructure in the U.S. The process will engage stakeholders during a series of meetings, the first of which will be convened by the DOE Smart Grid Privacy Task Force December 6, 2012. The objective of this meeting will be to determine a process and timeline for developing the codes and to address what main elements the codes should contain. The process is being initiated in response to the Administrations privacy initiative. The initiative is outlined in a White House report (Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy) released earlier this year. The report calls for multistakeholder processes to develop legally enforceable voluntary codes of conduct for protecting consumer privacy. The National Telecommunications Information Administration has already convened a number of multistakeholder meetings to address mobile app privacy. Those interested in attending are asked to contact DOE by visiting the DOE Smart Grid website. |
||||||||||||||||||||
FTC
Announces Proposed COPPA Settlement with Operator of Musicians Fan
Websites On October 4, 2012, the Federal Trade Commission (FTC) announced a proposed consent decree with Artist Arena, the operator of several music websites. If approved by a federal court, the decree will settle charges that the company violated the Childrens Online Privacy Protection Act (COPPA) by improperly collecting personal information from children under the age of 13 without first obtaining their parents consent. Under the terms of the settlement Artist Arena will pay one million dollars in civil penalties, be barred from future violations of the Rule, delete all information collected in violation of the Rule, and be subject to certain monitoring and reporting requirements. Artist Arena operates a number of websites for young musicians including Rihanna, Demi Lovato and Justin Beiber. The FTC alleged that children visiting the sites were able to register to join a fan club, create profiles and post content on members walls. Children also provided personal information to subscribe to fan newsletters. The sites collected childrens names, addresses, email addresses, birthdates and gender information in violation of COPPA. The FTC also alleged that Artist Arena violated Section 5 of the Federal Trade Act by falsely claiming that it would not collect childrens personal information or activates a childs registration without obtaining prior parental consent. The company registered over 25,000 children under age 13 and collected and maintained personal information from almost 75,000 additional children who began, but did not complete the registration process. This settlement was announced as the FTC continues to consider proposed updates to the COPPA rule to address the growing adoption of interactive and mobile technologies by young children. During this process, the FTC has stepped up its aggressive enforcement of the rule, bringing actions against both child-directed and general audience sites to ensure that the rules objective of protecting childrens online privacy is achieved. Child directed websites and online services, as well as general audience sites and online services that attract children should regularly review their data collection, sharing and use practices to ensure that those practices are aligned with the requirements of the COPPA rule and the FTCs interpretation of the rule as reflected in the COPPA settlements. |
||||||||||||||||||||
Comment
Period for Proposed Changes to COPPA Rule Closes - New Rule Likely to
Impact Wide Swath of Businesses The COPPA rule generally requires operators of child-directed websites, online services and apps to obtain verifiable parental consent by narrowly prescribed means before they collect personal information from a child who is under the age of 13. The rule also applies to operators of general audience sites and services that knowingly collect personal information these children. Publication of the revised rule will conclude proceedings that were initiated by the FTC in 2010 when it accelerated a statutorily mandated 5- year review. The accelerated review was initiated because of perceived threats to childrens online privacy posed by their rapid adoption of new technologies and services, including mobile devices, social media and other interactive technologies. The FTC announced proposed changes to COPPA and sought comments. Nearly one year later, it issued a supplemental notice of proposed rulemaking with proposed modifications to the originally proposed rule. The somewhat tortured process reflects the complex challenges involved in crafting a framework that protects childrens online privacy while preserving the ability of businesses to bring the benefits of innovative technology to people of all ages. If adopted as proposed, the revised rule could propound compliance costs and obligations by:
The FTC has indicated that a revised rule could be published before the end of this year. Businesses, including website operators, online service providers and app developers should consider initiating a comprehensive review of their data collection practices, those of third party service providers (including reviewing relevant contract provisions) and the practices of other parties that can be seen as collecting data through an operators website or service in preparation for likely adjustments to their COPPA compliance strategies. |
||||||||||||||||||||
11th
Circuit holds that Businesses can be Liable for Customer Identity Theft
after a Data Breach The facts of the case begin with a data breach at AvMed, a health insurance company based in Florida. The parties did not dispute that two laptops were stolen from AvMeds offices and that those laptops contained sensitive customer information, including medical and health data, Social Security numbers, names, addresses, and phone numbers. The parties also did not dispute that 10 to 14 months after the theft, two of the named plaintiffs had their identities stolen. Bank accounts, credit cards, and other financial accounts were opened in the plaintiffs names using their sensitive personal information and one plaintiffs address was changed with the United States Postal Service. The plaintiffs also claimed that they had never before been victims of identity theft and that they took care to protect any sensitive personal information in their possession. The plaintiffs sued AvMed for negligence, negligence per se, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, breach of fiduciary duty, and unjust enrichment.2 There were two issues3 before the 11th Circuit with broad relevance in data breach cases: (1) whether the plaintiffs had standing to sue and (2) whether their Complaint should be dismissed for failure to state a claim upon which relief may be granted. On the question of standing, the Court and the dissent agreed that the plaintiffs had standing because they alleged monetary damages as a result of their actual identity theft, that the identity theft occurred after the theft of AvMeds laptops and despite the plaintiffs actions to secure their personal information, and that compensatory damages would remedy those monetary damages. But in evaluating the motion to dismiss for failure to state a claim, the plaintiffs faced a higher bar for showing that AvMeds actions caused the plaintiffs injuries. It is here that the Judges disagreed, with the Majority finding that the plaintiffs showed that it was not just possible or coincidental, but plausible that the data breach at AvMed caused the plaintiffs identity thefts. The Majority reasoned that the following alleged facts are sufficient to support that finding: (1) the plaintiffs took care to protect their personal information, (2) the defendant was in possession of the plaintiffs personal information, (3) the plaintiffs sensitive personal information was stolen from the defendant, (4) the plaintiffs identities were stolen and financial accounts were opened using their sensitive personal information 10 to 14 months after the data breach at AvMed, and (5) the plaintiffs had never before been victims of identity theft. Accordingly, the Court found that [p]laintiffs have sufficiently alleged a nexus between the data theft and the identity theft 4 The dissent disputed this reasoning, concluding instead that the facts only show a coincidence of time and sequence.5 The dissent reasoned that the plaintiffs only alleged that their sensitive personal information was stolen from AvMed and that about a year later their identities were stolen. However, the plaintiffs did not allege facts that link the events to support their claim that the identity thieves received the plaintiffs personal information from the laptops stolen from AvMed. It is equally possible that the identity thieves received the plaintiffs personal information from some other source, such as a third party that sends credit card offers to the plaintiffs. The dispute reflected in the majority and dissenting opinions illustrates the difficulty in establishing a legally sufficient nexus between an event like the one that formed the basis for this lawsuit and the facts leading to identity theft. Personal information is easily reproducible and is constantly collected and distributed by a myriad business, nonprofit and government entities. Therefore, whether the majority opinion or the dissents reasoning is adopted by other courts, plaintiffs will likely carry a heavy and difficult burden when attempting to recover for identity theft from someone other than the actual identity thief. Nevertheless, organizations must continue to be diligent in protecting personal data -- for the protection of their customers and because the outcome in this case demonstrates that they can be made to answer for the consequences of a data breach, no matter how attenuated the facts.
1 Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sept.
5, 2012). |
||||||||||||||||||||
INTERNATIONAL DISPATCHES | ||||||||||||||||||||
Singapore
Parliament Approves Comprehensive Data Protection Legislation As we reported previously, the law, which was first proposed in September 2011 as a consultation paper, establishes a consumer data protection regime to govern the collection, transfer, use disclosure, transfer and security of personal data. It includes a Do Not Call registry that will be fully implemented in 2014. The law applies to all organizations in Singapore, except those in the public sector, which are governed by an existing Data Protection framework. It also creates a new enforcement agency that will have the authority to issue remedial measures and impose financial penalties for noncompliance. Passage of the legislation replaces the countrys sector-by-sector approach to protecting privacy by establishing a baseline standard of protection for personal data across the economy. The new law is intended to achieve the goal of enhancing Singapores status as a trusted jurisdiction for global data management and processing services consistent with other frameworks for protecting privacy, such as the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data and the Asia-Pacific Economic Cooperation Privacy Framework. |
||||||||||||||||||||
European
Commission Issues New Strategy for Cloud Computing In furtherance of this goal, the strategy calls for:
|
||||||||||||||||||||
UK
ICO Confirms Business is Responsible for Customer Data Stored in the Cloud According to a press release, the ICO acted on the belief that many businesses are moving data to the cloud but are unaware that they remain responsible for that data. The Guide includes the following practical suggestions:
Given the ICOs unambiguous stance that businesses are liability for data stored by third party cloud service providers, companies should conduct appropriate due diligence to ensure that their cloud service providers have thoroughly evaluated risk and are complying with applicable law. |
||||||||||||||||||||
UPDATES | ||||||||||||||||||||
Privacy
Class Action Against Pandora Dismissed Specifically the Plaintiff alleged that Pandora violated the VRPA by making his profile searchable on the web, thereby disclosing his listening activities to third parties, and posting this information on Facebook. The VRPA prohibits video tape service providers from disclosing data about an individuals video rental activities. The VRPA also applies to other content providers. It provides in relevant part:
The Court concluded that the Plaintiff failed to allege facts sufficient to state a claim under the VPRA because Pandora never rented, lent or sold sound recordings to him, according to the dictionary definition of those terms. Accordingly, the Court dismissed the Complaint with leave to amend. The Court also dismissed the CPA claim on grounds that the Plaintiff failed to plead facts that were sufficient to establish that he had suffered loss, as required under the statute. The VPRA is one of several state versions of the federal Video Privacy Protection Act4 (VPPA). The integration of social sharing tools by online video service and other content providers has coincided with an uptick in litigation under the VPPA and state equivalents.
1 Case No: C 11-04674 SBA (D.D. Nothern Cal September 27, 2012). |
||||||||||||||||||||
California
Governor Signs Laws Limiting Employer Access to Social Media Accounts As we reported previously, AB 1844 prohibits employers from demanding user names, passwords or any other information related to social media accounts from employees and job applicants. Under the law employers are also prohibited from discharging or disciplining employees who refuse to divulge such information. This prohibition does not apply to passwords or other information used to access employer-issued electronic devices. The bill does allow employers to request or require access to personal social media accounts under limited circumstances to investigate employee misconduct or if necessary to access an employer-issued device. SB 1349 imposes similar restrictions on postsecondary institutions with respect to students use of social media. The bill prohibits public and private institutions from requiring students, prospective students and student groups to disclose user names, passwords or other information about their use of social media. This prohibition does not affect the schools right to investigate or punish student misconduct. |
||||||||||||||||||||
PCI
Data Security Council Issues Best Practices for Mobile Payment Acceptance
App Security The Guidelines focus on payment applications that operate on any consumer electronic handheld device -- such as a smartphone, tablet or PDA -- that is not solely dedicated to payment-acceptance transaction processing in order to secure actual payment transactions over these devices. Specifically, the Guidelines recommend how to best 1) prevent interceptions during payment data entry into a mobile device; and 2) secure the mobile payment application platform environment to prevent data leakage while payments are processed or stored within the mobile device. Recommendations include:
|
||||||||||||||||||||
FTC
Issues Guide for Mobile App Developers
The Guides truth in advertising principles includes telling the truth about what an app can do and disclose key information clearly and conspicuously. The release of the guide occurs at a time when mobile app privacy is garnering significant attention by lawmakers, regulators, industry self-regulatory bodies and privacy class action lawyers. In order to minimize risk it is important that developers familiarize themselves with applicable rules, self-regulatory frameworks and guidelines and understand the interplay of each when implementing privacy and data protection practices and policies. |
||||||||||||||||||||
NEWS & ANNOUNCEMENTS | ||||||||||||||||||||
Karen
Neuman to Discuss Connected Car Privacy at San Diego Auto Content and
Apps Conference |
||||||||||||||||||||
Copyright © 2012 St. Ledger-Roty & Olson, LLP. | ||||||||||||||||||||