St. Ledger-Roty & Olson LLP

PRIVACY & INFORMATION LAW UPDATE
October 2012
A bimonthly update of trends and developments in privacy law & policy

Karen Neuman, Editor

  • You are receiving this publication because of your interest in privacy and data security. It is for informational including advertising purposes only and not a substitute for legal advice.
  • Not interested? Unsubscribe or forward to someone who might be.
  • Did someone send you this Update? Subscribe to receive your own or view past issues.

In this Issue:
FEATURE ARTICLE:
Kiss My Phone!
Transactions on the Go: Understanding & Addressing Privacy Risk
Part I in a Series
Online Behavioral Advertising Accountability Program Faults Kia Motors for Noncompliance With Self-Regulatory Principles
U.S. Supreme Court to Review Driver’s Privacy Protection Act Litigation Exception
FTC Settles Rent-To-Own Spying Cases
U.S. Department of Energy Announces Smart Grid Privacy Multistakeholder Process
FTC Announces Proposed COPPA Settlement with Operator of Musicians' Fan Websites
Comment Period for Proposed Changes to COPPA Rule Closes - New Rule Likely to Impact Wide Swath of Businesses
11th Circuit holds that Businesses can be Liable for Customer Identity Theft after a Data Breach

INTERNATIONAL DISPATCHES:
Singapore Parliament Approves Comprehensive Data Protection Legislation
European Commission Issues New Strategy for Cloud Computing
UK ICO Confirms Business is Responsible for Customer Data Stored in the Cloud

UPDATES:
Privacy Class Action Against Pandora Dismissed
California Governor Signs Laws Limiting Employer Access to Social Media Accounts
PCI Data Security Council Issues Best Practices for Mobile Payment Acceptance App Security
FTC Issues Guide for Mobile App Developers

NEWS & ANNOUNCEMENTS:

Karen Neuman to Discuss Connected Car Privacy at San Diego Auto Content and Apps Conference

FEATURE ARTICLE:

Kiss My Phone!
Transactions on the Go: Understanding & Addressing Privacy Risk
Part I in a Series

By Karen Neuman

The proliferation of smart phones and other mobile devices has fueled a steady march away from brick and mortar to mobile commerce and transactions. The underlying technology promises to yield previously unimagined enterprise and consumer applications, and growth opportunities for businesses in the evolving ecosystem: mobile device manufacturers, merchants, financial institutions and the payment card industry, developers, and social platform, content and network service providers. However, uncertainties about system interoperability, market fragmentation, the definition of “money”, application of existing consumer protection laws, and even the use of the current patent registration and protection framework as a litigation strategy create potential risk.
Read more...

 

Online Behavioral Advertising Accountability Program Faults Kia Motors for Noncompliance With Self-Regulatory Principles
By Karen Neuman

On October 1, 2012 the Advertising Self-Regulatory Council/Council of Better Business Bureaus Online Interest-Based Advertising Accountability Program (Accountability Program) issued a decision in which it found that an automobile manufacturer failed to comply with the Self-Regulatory Principles for Online Behavioral Advertising (OBA). Specifically, the Program found that KIA, its marketing arm and its ad agency failed to adhere to the Accountability Program’s Transparency principle. This principle requires that consumers receive “enhanced notice” whenever they are served an ad based on interests inferred from online browsing history. Interestingly, the Accountability Program initiated proceedings against KIA even though the company apparently had not indicated its participation in the Program.
Read more...

 

U.S. Supreme Court to Review Driver’s Privacy Protection Act Litigation Exception
By Karen Neuman

The Driver’s Privacy Protection Act of 1994 (DPPA)1 prohibits the nonconsensual disclosure of personal information about licensed drivers in state DMV records for marketing. The DPPA does permit nonconsensual disclosure of this information for use in connection with civil litigation, including “investigation[]s in anticipation of litigation.” On September 25, 2012 the U.S. Supreme Court agreed to consider if the scope of the litigation exception allows lawyers to obtain personal information from state DMV records to recruit plaintiffs for class actions. The case, Maracich v. Spears, No. 12-25, should be closely monitored by business because its outcome could have an impact on the ability of lawyers to search for and identify plaintiffs for class actions.
Read more...

 

FTC Settles Rent-To-Own Spying Cases
By Karen Neuman

On September 25, 2012 the FTC settled charges that several companies violated the Federal Trade Act by spying on consumers using software installed on computers rented by the consumers. The Complaint alleged that software developed by DesignerWare, LLC ,and licensed to seven rent-to-own stores to help the stores track and recover rented computers, captured screenshots of personal information, logged computer keystrokes, and in some cases took webcam pictures of people in their homes -- all without notice to or consent from the consumers.
Read more...

 

U.S. Department of Energy Announces Smart Grid Privacy Multistakeholder Process
By Karen Neuman

The U.S. Department of Energy (DOE) has announced that it will initiate a “multistakeholder process to develop a Voluntary Code of Conduct (VCC) for utility and third parties providing consumer energy use services. According to the announcement, the voluntary codes will address customer data privacy policies related to information collected—including energy usage information—by and through the developing smart grid infrastructure in the U.S. The process will engage stakeholders during a series of meetings, the first of which will be convened by the DOE Smart Grid Privacy Task Force December 6, 2012. The objective of this meeting will be to determine a process and timeline for developing the codes and to address what main elements the codes should contain.
Read more...

 

FTC Announces Proposed COPPA Settlement with Operator of Musicians’ Fan Websites
By Karen Neuman

On October 4, 2012, the Federal Trade Commission (FTC) announced a proposed consent decree with Artist Arena, the operator of several music websites. If approved by a federal court, the decree will settle charges that the company violated the Children’s Online Privacy Protection Act (COPPA) by improperly collecting personal information from children under the age of 13 without first obtaining their parents’ consent. Under the terms of the settlement Artist Arena will pay one million dollars in civil penalties, be barred from future violations of the Rule, delete all information collected in violation of the Rule, and be subject to certain monitoring and reporting requirements.
Read more...

 

Comment Period for Proposed Changes to COPPA Rule Closes - New Rule Likely to Impact Wide Swath of Businesses
By Karen Neuman

The deadline for filing comments with the Federal Trade Commission (FTC) on proposed changes to the Children’s Online Privacy Protection Act (COPPA) rule closed September 24. All indications are that the revised rule will create complex new compliance obligations for a wide swath of businesses, impose unintended barriers to entry for new ventures and potentially suppress innovation and growth in new markets, including educational content, games and services, and related delivery platforms.
Read more...

 

11th Circuit holds that Businesses can be Liable for Customer Identity Theft after a Data Breach
By Ari Moskowitz

On September 5, 2012, the United States Court of Appeals for the 11th Circuit ruled that a lawsuit alleging that a data breach caused identity theft could move forward. The 2-1 decision in Resnick v. AvMed1 reversed a decision by the lower court to dismiss the action for failure to allege an injury cognizable under the law. The 11th Circuit disagreed, finding that the plaintiff alleged sufficient facts to show it is plausible that the data breach at AvMed caused their identities to be stolen. The dissent highlights a dispute that is likely to play out in courts throughout the country as increasingly vast amounts of personal information are kept in digital storage by an ever-growing number of entities.
Read more...

 

INTERNATIONAL DISPATCHES

Singapore Parliament Approves Comprehensive Data Protection Legislation
On October 14, 2012, the Singapore parliament approved legislation designed to safeguard personal data. Personal data is defined as data that relates to an identifiable individual, whether the data is stored in electronic or non-electronic form. To give businesses time to prepare, the law will be phased in with full enforcement set to begin January 2014.
Read more...

 

European Commission Issues New Strategy for Cloud Computing
On September 27, 2010 the European Commission (EC) issued a document, Unleashing the Potential of Cloud Computing in Europe, that outlines a new strategy to accelerate adoption of cloud computing in the EU in order to realize the economic benefits of this technology and establish Europe as a global destination for safe and secure cloud computing. The new strategy is intended to address perceptions that cloud computing poses additional risk for business by making it easier for companies to demonstrate and verify compliance through standards and certification, and by developing appropriate legal frameworks.
Read more...

 

UK ICO Confirms Business is Responsible for Customer Data Stored in the Cloud
On September 27, 2012 the Office of the UK Information Commissioner (ICO) released new guidance for businesses that outsource data for cloud storage. The document, Guide to Cloud Computing (Guide), reminds companies that they remain responsible for how personal data is managed and protected when they transmit and store that data to third party cloud service providers.
Read more...

 

UPDATES

Privacy Class Action Against Pandora Dismissed
On September 27, 2012 a federal court issued an Order in Deacon v. Pandora Media, Inc.1 dismissing a class action against Internet radio service provider Pandora Media, Inc. (Pandora). The Plaintiff alleged that the company made the Plaintiff’s profile information publicly available and posted his listening activities on Facebook in violation of Michigan’s Video Rental Privacy Act2 (VRPA) and Consumer Protection Act3 (CPA).
Read more...

 

California Governor Signs Laws Limiting Employer Access to Social Media Accounts
On September 27, 2012, California Governor Jerry Brown signed into law measures that increase protections for certain social media users in California. The measures prohibit employers and universities from requiring that applicants provide their email or social media account login credentials. The laws take effect January 1, 2013.
Read more...

 

PCI Data Security Council Issues Best Practices for Mobile Payment Acceptance App Security
On September 13, 2012 the PCI Security Standards Council (PSCI SSC) issued new guidelines for mobile payment acceptance security. As we reported previously, the PCI SSC issued a “fact sheet” in May to help merchants securely accept payments when using a mobile device consistent with the PCI data security standard (PCI DSS). The fact sheet was intended to be a first step toward facilitating fully secure mobile payments. The new Guidelines, PCI Mobile Payment Acceptance Security Guidelines (Guidelines), recommend best practices for developers and mobile device manufacturers that are intended to encourage the design of appropriate security controls for preventing a growing number of threats. Some of these threats include “man-in-the- middle” attacks and malware. The Guidelines should be useful to merchants that develop their own mobile payment apps.
Read more...

 

FTC Issues Guide for Mobile App Developers
On September 5, 2012 the FTC issued advertising guidelines for mobile app developers entitled Marketing Your Mobile App: Get It Right from the Start. According the FTC’s announcement, the purpose of the guide is to assist mobile app developers observe basic privacy and truth in advertising principles when marketing their apps. Specific guidelines include the following privacy principles:
Read more...

 

NEWS & ANNOUNCEMENTS

Karen Neuman to Discuss Connected Car Privacy at San Diego Auto Content and Apps Conference
Karen Neuman will participate in a gathering of auto, app, content and other tech executives December 4-5 in San Diego to discuss business models for fueling the expansion of the connected car. Her remarks will focus on maximizing consumer trust and minimizing legal risk in the connected car ecosystem as car and tech companies bring social marketing and a plethora of content and services to the “fourth screen.”


FEATURE ARTICLE:

Kiss My Phone!
Transactions on the Go: Understanding & Addressing Privacy Risk
Part I in a Series

By Karen Neuman

The proliferation of smart phones and other mobile devices has fueled a steady march away from brick and mortar to mobile commerce and transactions. The underlying technology promises to yield previously unimagined enterprise and consumer applications, and growth opportunities for businesses in the evolving ecosystem: mobile device manufacturers, merchants, financial institutions and the payment card industry, developers, and social platform, content and network service providers. However, uncertainties about system interoperability, market fragmentation, the definition of “money”, application of existing consumer protection laws, and even the use of the current patent registration and protection framework as a litigation strategy create potential risk.

When it comes to uncertainty and risk, privacy and data security tops the list. A key concern is whether the current privacy regulatory framework in the U.S. provides adequate guidance to businesses in this nascent industry to assess, plan for and address risk. Some businesses that engage in traditional activities may already be subject to existing privacy and data security laws. Examples include mobile carriers, financial services institutions, merchants or website operators. It is less clear whether they remain so, or how those laws might apply when they engage in activity that strays from the traditional, or share data with other actors, including developers, marketers or content providers. Similar ambiguities exist in connection with other entities, including a growing number of non-bank entities that process payment. A case can be made that existing privacy laws and regulations already govern compliance obligations, including those arising from these relationships. However, the absence of clear guidance from regulators and the courts could exacerbate risk and result in barriers to entry that impede innovation or growth.

Not surprisingly, these issues have drawn the attention of federal and state enforcement authorities, policymakers, privacy advocates and privacy class action lawyers. Standards organizations and industry groups are developing guidelines and best practices to promote consumer trust in mobile payment applications and merchant processing security.

Companies competing to establish or protect market share, and market products and services to consumers, must understand how the relationships and interactions in the mobile transactions ecosystem give rise to privacy and data security risk, and then formulate and adopt responsive legal strategies.

Background

Simply put, a mobile transaction involves a “remote” or “point-of-sale” payment for goods or services, or other currency transfers, by using a mobile device such as a smart phone. Payments can be used to purchase and validate tickets, preload gift or loyalty cards, purchase “credits” or transfer funds, including from one person to another.

1. Remote Mobile Payments

Remote mobile payments use SMS (an early solution that enabled mobile payments not only for goods and services but also for charitable giving), or the wireless application protocol (WAP) for transactions that can be accomplished from any location and at any time.

In SMS-based person-to-business transactions, a customer typically creates an account with a mobile payment service provider and links a payment (credit, debit or prepaid card) to that account. The customer and the payment provider communicate by text message, exchanging such information as purchase amount, authentication information, transaction/purchase amount confirmation, and payment notification. Payment is accomplished when the payment provider transfers the transaction amount to the merchant’s account. The payment provider notifies the merchant of payment, who then moves the funds electronically to a bank account or requests another form of payment from the payment provider.

In an SMS-based charitable donation transaction, the amount is billed through a mobile carrier and appears on the consumer’s phone bill.

In a WAP-based transaction, the customer accesses a merchant’s web site using phone’s mobile browser to make purchase that resembles a traditional online transaction on a merchant’s website. The payment provider can test a payment application or provide a downloadable form on a web page to enable purchases.

2. Point of Sale Mobile Payments

Point of sale (POS) or “proximity” payments use Near Field Communications (NFC), a limited-range wireless technology that enables the exchange of data between a phone and a microchip or similar technology embedded in a mobile device and a POS terminal. The chip contains customer payment account information. NFC enabled transactions are billed to a linked payment card, including loyalty or gift cards stored in the device. Payment cards can also be stored in a mobile “wallet” -- a type of smartphone app -- in a mobile device. NFC equipped phones can be used in retail outlets, public transportation settings, or parking meters.

In an NFC based transaction, a customer typically moves or taps their mobile phone near or against the POS terminal. The terminal reads the phone’s NFC chip, its UDID and a unique code for the transaction known as a “cryptogram”; the terminal sends this data to the merchant’s bank. The merchant’s bank sends the transaction data to the customer’s bank, which uses the cryptogram to authenticate the phone and identify the customer’s account from which payment is to be authorized and made. The customer’s bank declines or authorizes the transaction. If authorized, funds are transferred and the transaction is complete.

Other POS payment technology enables phone-to-phone, bar code scanning, card reading or credit card processing and management technology to make person-person transfers or purchase an item at a business.

Privacy & Security: Something to Think About

As shown above, the mobile transactions ecosystem consists of many actors and interactions among them. These businesses can track a user’s location on the device itself or through apps that can share or otherwise capture and disclose location, payment and other information, including highly sensitive information about a specific user. This data can be used for geofencing and for serving targeted ads. It is attractive to government authorities because it can be used for law enforcement investigations. Questions about data ownership, control, liability for noncompliance with privacy law and government access abound.

There are also a number of complex data security risks posed by the lack of standards, the number of actors, the location in which user data is stored (in the cloud or on a mobile device) and possibly even the devices or platforms themselves. For example, one benefit of fragmentation is that there is no preferred platform for mobile transactions; if and when there is, they will be targeted for malware by cybercriminals.

The evolving body of law and industry standards that addresses Internet security may or not be a good fit in this context. The Payment Card Industry Data Security Standards Council recently issued guidelines that are intended to promote data security for mobile transactions. The guidelines call for proper implementation of robust security protocol. Nevertheless, there are some practical uncertainties. Some include: 1) whether, to what extent, and to whom contractual obligations and protections apply among providers and to consumers; and 2) how contractual and statutory obligations coexist.

Conclusion

In order to minimize risk and encourage wide scale adoption of mobile transactions, businesses will have to adopt a multi-pronged approach to address the privacy and data security issues outlined above. Part II of this series will discuss policy trends and the potential application of existing privacy law to mobile transactions, and how they might inform such an approach, along with some practical tips for minimizing risk.

Forward Article Back to Top


Online Behavioral Advertising Accountability Program Faults Kia Motors for Noncompliance With Self-Regulatory Principles
By Karen Neuman

On October 1, 2012 the Advertising Self-Regulatory Council/Council of Better Business Bureaus Online Interest-Based Advertising Accountability Program (Accountability Program) issued a decision in which it found that KIA Motors America, Inc. failed to comply with the Self-Regulatory Principles for Online Behavioral Advertising (OBA). Specifically, the Program found that KIA, its marketing arm and its ad agency failed to adhere to the Accountability Program’s Transparency principle. This principle requires that consumers receive “enhanced notice” whenever they are served an ad based on interests inferred from online browsing history. Interestingly, the Accountability Program initiated proceedings against KIA even though the company apparently had not indicated its participation in the Program.

The Transparency principle is intended to ensure that consumers are provided adequate notice about “behind the scenes” OBA data collection and use. Third parties, such as ad networks, are required to provide enhanced notice whenever they collect data to serve an OBA ad as part of an online advertising campaign.

As explained in the decision, enhanced notice is provided through a “clear, meaningful and prominent link” (i.e., the enhanced notice link) from the Web page on which the third party is collecting data for OBA purposes or serving an advertisement based on user interests inferred from a user’s Web browsing activities. The link directs the consumer to information about the third-party’s OBA data collection and use practices and an opportunity to exercise choice. The Digital Advertising Alliance’s (DAA) Advertising Option Icon frequently serves as the link to an OBA disclosure and opt-out tool. Consumers can click on the Icon to find out more about the OBA ad that was served and opt out.

The Accountability Program visited KIA’s website using various web browsers. Third parties “known to engage in OBA” were observed collecting user data through tracking pixels embedded throughout the sites. During the same browsing sessions the Program visited non-affiliated websites where the Program was served ads for KIA vehicles. According to the decision, the ease with which the Accountability Program was able to reproduce the experience on different devices using different browsers appeared to indicate that the KIA ads it was served were “likely the result of our recent visit to the website and therefore were tailored to us because of our recent browsing history”. None of the ads delivered to the Accountability Program during the tests provided enhanced notice. The failure to do so was determined to have violated the Transparency principle. Accordingly, formal inquiries were initiated with the companies observed to be in the ad serving chain about their roles in serving the ads. The Accountability Program also initiated a formal inquiry with KIA to determine why the ads did not contain the required enhanced notice.

In response, KIA initiated its own investigation. The company subsequently instructed its ad agency to: 1) implement measures to ensure that all OBA ads in KIA ad campaigns are served in compliance with OBA principles, and 2) direct all third-party ad networks to include the DAA AdChoices Icon on all interest-based ads served in those campaigns. KIA also informed the Accountability Program that it is in the process of licensing the AdChoices Icon in order to serve the Icon itself instead of relying on third-party ad networks to do so.

This decision appears to put major brands on notice that they can be held accountable under the OBA Self-Regulatory Principles, including for the actions of their ad agencies and other companies involved in their OBA campaigns, even if those brands have not represented that they participate in the self- regulatory program.

Forward Article Back to Top


U.S. Supreme Court to Review Driver’s Privacy Protection Act Litigation Exception
By Karen Neuman

The Driver’s Privacy Protection Act of 1994 (DPPA)1 prohibits the nonconsensual disclosure of personal information about licensed drivers in state DMV records for marketing. The DPPA does permit nonconsensual disclosure of this information for use in connection with civil litigation, including “investigation[]s in anticipation of litigation.” On September 25, 2012 the U.S. Supreme Court agreed to consider if the scope of the litigation exception allows lawyers to obtain personal information from state DMV records to recruit plaintiffs for class actions. The case, Maracich v. Spears, No. 12-25, should be closely monitored by business because its outcome could have an impact on the ability of lawyers to search for and identify plaintiffs for class actions.

The Respondents, South Carolina class action lawyers, obtained information under South Carolina’s Freedom of Information Act from the state DMV about thousands of people who had purchased cars from local car dealers. The data included buyers’ names, addresses, phone numbers, and vehicle purchase information. The lawyers used the data to identify potential plaintiffs for several class actions that had been or were in the process of being initiated against the car dealers under a state consumer protection statute.

The buyers received solicitations from the class action lawyers, who invited the buyers to become plaintiffs in the lawsuits. The buyers subsequently brought suit2 in federal district court alleging that the class action lawyers impermissibly obtained their personal information without their consent and used it in violation of the DPPA. The Court granted summary judgment in favor of the lawyers, holding that they did not solicit the buyers in violation of the DPPA, and that their use of the buyers’ driver records was permissible under the DPPA’s litigation exception. The U.S. Court of Appeals for the Fourth Circuit affirmed, finding that the solicitations were "inextricably intertwined" with the original lawsuits. The Fourth Circuit’s decision conflicts with decisions in other circuits, including the Eleventh and Third Circuits, on whether lawyers may obtain information protected under the DPPA for the sole purpose of soliciting plaintiffs, and what the appropriate test should be for when DPPA protected data may be used.

According to the schedule set by the Supreme Court, briefing will conclude in December. The case is expected to be argued this spring.


1 18 U.S.C. §§2721-2725. In Reno v. Condon, 528 U.S. 141 (2000), the DPPA was found to be a constitutional exercise of Congressional authority to regulate Interstate Commerce.
2 Maracich v. Spears, No. 7:09-cv-01651-HMH (D.S.C. Aug. 4, 2010), aff'd 657 F.3d 281 (4th Cir. 2012), cert. granted, 81 U.S.L.W. 3159 (U.S. Sep. 25, 2012) (No. 12-25).

Forward Article Back to Top


FTC Settles Rent-To-Own Spying Cases
By Karen Neuman

On September 25, 2012 the FTC settled charges that several companies violated the Federal Trade Act by spying on consumers using software installed on computers rented by the consumers. The Complaint alleged that software developed by DesignerWare, LLC ,and licensed to seven rent-to-own stores to help the stores track and recover rented computers, captured screenshots of personal information, logged computer keystrokes, and in some cases took webcam pictures of people in their homes -- all without notice to or consent from the consumers.

Specifically, the FTC alleged that DesignerWare developed and licensed “PC Rental Agent” and an add- on, “Detective Man”, to the rent-to-own stores. The software collected usernames, passwords, medical records, social security numbers, and photos. The FTC also alleged that PC Rental Agent tracked the computers’ locations by logging the computers’ Wi-fi hotspot locations. The location data was sent to DesignerWare, who cross-referenced the locations with public data to ascertain the computer users’ physical addresses and sent the information to the rent-to-own companies. The FTC further alleged that DesignerWare tricked users into providing their physical addresses and personal contact information by using a fake software registration window.

The proposed settlement orders ban DesignerWare and the seven rent-to-own stores from using monitoring software like the programs in this case. The FTC defined terms “monitoring technology” and “geophysical location tracking technology” so that the software covered by the orders is clearly understood. Thus, “monitoring technology” is defined as any hardware, software, or application utilized in conjunction with a computer that can cause the computer to:

  • Capture, monitor, or record information;
  • report information about user activities by recording keystrokes, clicks, or other user-generated actions;
  • capture screenshots of the data displayed on a computer monitor or screen; or
  • activate the camera or microphone function of a computer to take photographs or record audio or visual content through the computer’s webcam or microphone.

The definition of “geophysical location tracking” includes the reporting of GPS coordinates, WiFi hotspots, or telecommunications towers – all technologies that allow for a relatively precise location of the item tracked. The DesignerWare and the stores will be prohibited from using geophysical location tracking software without notice and consent.

DesignerWare will also be barred from employing deceptive practices to collect personal information from consumers, such as using fake software registration screens, and the seven rent-to-own stores will be prohibited from using improperly gathered consumer information in connection with debt collection. The proposed settlements also contain record keeping requirements that allow the FTC to monitor compliance with the orders for the next 20 years.

The principles underlying this settlement can be extended to practices that are not as egregious as those alleged by the FTC in this action. Other rent-to-own or similar businesses that collect customer data for example automobile or car sharing -- should be familiar with the proposed settlement orders and the FTC’s analysis of them. They should also undertake a comprehensive evaluation of their data collection, sharing, use and retention practices to make sure those practices are aligned with the outcome in this case.

Forward Article Back to Top


U.S. Department of Energy Announces Smart Grid Privacy Multistakeholder Process
By Karen Neuman

The U.S. Department of Energy (DOE) has announced that it will initiate a “multistakeholder process to develop a Voluntary Code of Conduct (VCC) for utility and third parties providing consumer energy use services. According to the announcement, the voluntary codes will address customer data privacy policies related to information collected—including energy usage information—by and through the developing smart grid infrastructure in the U.S. The process will engage stakeholders during a series of meetings, the first of which will be convened by the DOE Smart Grid Privacy Task Force December 6, 2012. The objective of this meeting will be to determine a process and timeline for developing the codes and to address what main elements the codes should contain.

The process is being initiated in response to the Administration’s privacy initiative. The initiative is outlined in a White House report (Consumer Data Privacy in a Networked World: A Framework for Protecting Privacy and Promoting Innovation in the Global Digital Economy) released earlier this year. The report calls for multistakeholder processes to develop legally enforceable voluntary codes of conduct for protecting consumer privacy. The National Telecommunications Information Administration has already convened a number of multistakeholder meetings to address mobile app privacy.

Those interested in attending are asked to contact DOE by visiting the DOE Smart Grid website.

Forward Article Back to Top


FTC Announces Proposed COPPA Settlement with Operator of Musicians’ Fan Websites
By Karen Neuman

On October 4, 2012, the Federal Trade Commission (FTC) announced a proposed consent decree with Artist Arena, the operator of several music websites. If approved by a federal court, the decree will settle charges that the company violated the Children’s Online Privacy Protection Act (COPPA) by improperly collecting personal information from children under the age of 13 without first obtaining their parents’ consent. Under the terms of the settlement Artist Arena will pay one million dollars in civil penalties, be barred from future violations of the Rule, delete all information collected in violation of the Rule, and be subject to certain monitoring and reporting requirements.

Artist Arena operates a number of websites for young musicians including Rihanna, Demi Lovato and Justin Beiber. The FTC alleged that children visiting the sites were able to register to join a fan club, create profiles and post content on members’ walls. Children also provided personal information to subscribe to fan newsletters. The sites collected children’s names, addresses, email addresses, birthdates and gender information in violation of COPPA. The FTC also alleged that Artist Arena violated Section 5 of the Federal Trade Act by falsely claiming that it would not collect children’s personal information or activates a child’s registration without obtaining prior parental consent. The company registered over 25,000 children under age 13 and collected and maintained personal information from almost 75,000 additional children who began, but did not complete the registration process.

This settlement was announced as the FTC continues to consider proposed updates to the COPPA rule to address the growing adoption of interactive and mobile technologies by young children. During this process, the FTC has stepped up its aggressive enforcement of the rule, bringing actions against both child-directed and general audience sites to ensure that the rule’s objective of protecting children’s online privacy is achieved. Child directed websites and online services, as well as general audience sites and online services that attract children should regularly review their data collection, sharing and use practices to ensure that those practices are aligned with the requirements of the COPPA rule and the FTC’s interpretation of the rule as reflected in the COPPA settlements.

Forward Article Back to Top


Comment Period for Proposed Changes to COPPA Rule Closes - New Rule Likely to Impact Wide Swath of Businesses
By Karen Neuman

The deadline for filing comments with the Federal Trade Commission (FTC) on proposed
changes to the Children’s Online Privacy Protection Act (COPPA) rule closed September 24. All indications are that the revised rule will create complex new compliance obligations for a wide swath of businesses, impose unintended barriers to entry for new ventures and potentially suppress innovation and growth in new markets, including educational content, games and services, and related delivery platforms

The COPPA rule generally requires operators of child-directed websites, online services and apps to obtain verifiable parental consent by narrowly prescribed means before they collect personal information from a child who is under the age of 13. The rule also applies to operators of general audience sites and services that “knowingly” collect personal information these children.

Publication of the revised rule will conclude proceedings that were initiated by the FTC in 2010 when it accelerated a statutorily mandated 5- year review. The accelerated review was initiated because of perceived threats to children’s online privacy posed by their rapid adoption of new technologies and services, including mobile devices, social media and other interactive technologies. The FTC announced proposed changes to COPPA and sought comments. Nearly one year later, it issued a supplemental notice of proposed rulemaking with proposed modifications to the originally proposed rule. The somewhat tortured process reflects the complex challenges involved in crafting a framework that protects children’s online privacy while preserving the ability of businesses to bring the benefits of innovative technology to people of all ages. If adopted as proposed, the revised rule could propound compliance costs and obligations by:

  • Expanding the definitions of the terms “operator” and “personal information.”

    • The term “operator” would encompass entities that can be deemed as collecting data in the interest of, as a representative of or for the benefit of an operator. This change would impose liability on operators for the non-compliance of third parties, including app developers, analytics providers, plug-ins or embedded videos that collect children’s data through an operator’s sites or services. Such an outcome could discourage platforms and websites from linking to third parties, thereby reducing the use of social sharing tools or the use of third party partners for a wide variety of services.
    • Among other changes, the term personal information would:
      • include screen names if they can be used for direct messaging; and
      • effectively require operators to implement limitations on the use of IP addresses and other unique identifiers only for prescribed uses involving internal operations.

  • Replacing the current “actual” knowledge standard that triggers general audience site compliance with an ambiguous constructive knowledge standard if a site is “likely to attract an audience that includes a disproportionately large percentage of children under 13 as compared to the percentage of such children in the general population”. In addition to requiring sites and services to ascertain the likely makeup of its audience, this new standard would be effectively at odds with the FTC’s stated objective of data minimization. For example, operators could simply decide to age screen all users to determine likely audience makeup, thereby collecting more data than necessary in order to avoid a potential enforcement action. Even so, age screening has already been shown to be ineffective due to retries and other methods to get around the screens.

The FTC has indicated that a revised rule could be published before the end of this year. Businesses, including website operators, online service providers and app developers should consider initiating a comprehensive review of their data collection practices, those of third party service providers (including reviewing relevant contract provisions) and the practices of other parties that can be seen as collecting data through an operator’s website or service in preparation for likely adjustments to their COPPA compliance strategies.

Forward Article Back to Top


11th Circuit holds that Businesses can be Liable for Customer Identity Theft after a Data Breach
By Ari Moskowitz

On September 5, 2012, the United States Court of Appeals for the 11th Circuit ruled that a lawsuit alleging that a data breach caused identity theft could move forward. The 2-1 decision in Resnick v. AvMed1 reversed a decision by the lower court to dismiss the action for failure to allege an injury cognizable under the law. The 11th Circuit disagreed, finding that the plaintiff alleged sufficient facts to show it is plausible that the data breach at AvMed caused their identities to be stolen. The dissent highlights a dispute that is likely to play out in courts throughout the country as increasingly vast amounts of personal information are kept in digital storage by an ever-growing number of entities.

The facts of the case begin with a data breach at AvMed, a health insurance company based in Florida. The parties did not dispute that two laptops were stolen from AvMed’s offices and that those laptops contained sensitive customer information, including medical and health data, Social Security numbers, names, addresses, and phone numbers. The parties also did not dispute that 10 to 14 months after the theft, two of the named plaintiffs had their identities stolen. Bank accounts, credit cards, and other financial accounts were opened in the plaintiffs’ names using their sensitive personal information and one plaintiff’s address was changed with the United States Postal Service. The plaintiffs also claimed that they had never before been victims of identity theft and that they took care to protect any sensitive personal information in their possession.

The plaintiffs sued AvMed for negligence, negligence per se, breach of contract, breach of implied contract, breach of the implied covenant of good faith and fair dealing, breach of fiduciary duty, and unjust enrichment.2 There were two issues3 before the 11th Circuit with broad relevance in data breach cases: (1) whether the plaintiffs had standing to sue and (2) whether their Complaint should be dismissed for failure to state a claim upon which relief may be granted. On the question of standing, the Court and the dissent agreed that the plaintiffs had standing because they alleged monetary damages as a result of their actual identity theft, that the identity theft occurred after the theft of AvMed’s laptops and despite the plaintiffs’ actions to secure their personal information, and that compensatory damages would remedy those monetary damages.

But in evaluating the motion to dismiss for failure to state a claim, the plaintiffs faced a higher bar for showing that AvMed’s actions caused the plaintiffs’ injuries. It is here that the Judges disagreed, with the Majority finding that the plaintiffs showed that it was not just possible or coincidental, but plausible that the data breach at AvMed caused the plaintiffs’ identity thefts. The Majority reasoned that the following alleged facts are sufficient to support that finding: (1) the plaintiffs’ took care to protect their personal information, (2) the defendant was in possession of the plaintiffs’ personal information, (3) the plaintiffs’ sensitive personal information was stolen from the defendant, (4) the plaintiffs’ identities were stolen and financial accounts were opened using their sensitive personal information 10 to 14 months after the data breach at AvMed, and (5) the plaintiffs had never before been victims of identity theft. Accordingly, the Court found that “[p]laintiffs have sufficiently alleged a nexus between the data theft and the identity theft…”4

The dissent disputed this reasoning, concluding instead that the facts only show a “coincidence of time and sequence.”5 The dissent reasoned that the plaintiffs only alleged that their sensitive personal information was stolen from AvMed and that about a year later their identities were stolen. However, the plaintiffs did not allege facts that link the events to support their claim that the identity thieves received the plaintiffs’ personal information from the laptops stolen from AvMed. It is equally possible that the identity thieves received the plaintiffs’ personal information from some other source, such as a third party that sends credit card offers to the plaintiffs.

The dispute reflected in the majority and dissenting opinions illustrates the difficulty in establishing a legally sufficient nexus between an event like the one that formed the basis for this lawsuit and the facts leading to identity theft. Personal information is easily reproducible and is constantly collected and distributed by a myriad business, nonprofit and government entities. Therefore, whether the majority opinion or the dissent’s reasoning is adopted by other courts, plaintiffs will likely carry a heavy and difficult burden when attempting to recover for identity theft from someone other than the actual identity thief. Nevertheless, organizations must continue to be diligent in protecting personal data -- for the protection of their customers and because the outcome in this case demonstrates that they can be made to answer for the consequences of a data breach, no matter how attenuated the facts.


1 Resnick v. AvMed, Inc., No. 11-13694 (11th Cir. Sept. 5, 2012).
2 The court upholds the dismissal of the negligence per se and breach of the implied covenant of good faith and fair dealing claims for reasons unrelated to the actual privacy allegations in the case and reverses the dismissal of the unjust enrichment claim for reasons unrelated to the privacy allegations.
3 Additional issues before the court were mostly unrelated to its privacy implications and included whether the Complaint alleges an entitlement to relief under Florida law (which the court finds it does not only as regards negligence per se and breach of the implied covenant of good faith and fair dealing) and the sufficiency of the unjust enrichment claim.
4 AvMed at p.17.
5 AvMed at p.28.

Forward Article Back to Top


INTERNATIONAL DISPATCHES

Singapore Parliament Approves Comprehensive Data Protection Legislation

On October 14, 2012, the Singapore parliament approved legislation designed to safeguard personal data. Personal data is defined as data that relates to an identifiable individual, whether the data is stored in electronic or non-electronic form. To give businesses time to prepare, the law will be phased in with full enforcement set to begin January 2014.

As we reported previously, the law, which was first proposed in September 2011 as a “consultation paper”, establishes a consumer data protection regime to govern the collection, transfer, use disclosure, transfer and security of personal data. It includes a Do Not Call registry that will be fully implemented in 2014. The law applies to all organizations in Singapore, except those in the public sector, which are governed by an existing Data Protection framework. It also creates a new enforcement agency that will have the authority to issue remedial measures and impose financial penalties for noncompliance. Passage of the legislation replaces the country’s sector-by-sector approach to protecting privacy by establishing a baseline standard of protection for personal data across the economy. The new law is intended to achieve the goal of enhancing Singapore’s status as a trusted jurisdiction for global data management and processing services consistent with other frameworks for protecting privacy, such as the OECD Guidelines on the Protection of Privacy and Trans-border Flows of Personal Data and the Asia-Pacific Economic Cooperation Privacy Framework.

Forward Article Back to Top


European Commission Issues New Strategy for Cloud Computing
On September 27, 2010 the European Commission (EC) issued a document, Unleashing the Potential of Cloud Computing in Europe, that outlines a new strategy to accelerate adoption of cloud computing in the EU in order to realize the economic benefits of this technology and establish Europe as a global destination for safe and secure cloud computing. The new strategy is intended to address perceptions that cloud computing poses additional risk for business by making it easier for companies to demonstrate and verify compliance through standards and certification, and by developing appropriate legal frameworks.

In furtherance of this goal, the strategy calls for:

  • Simplifying EU-wide cloud computing standards and certification by 2014 in order to facilitate interoperability.
  • Developing new model contract terms for cloud computing services by the end of 2013 in order to promote consistency among these agreements. Key provisions are expected to cover:
    • Data ownership and portability between services;
    • data integrity;
    • location and transfer;
    • subcontracting; and
    • what happens to data after a contract is terminated.
  • Creating a European cloud partnership between industry and EU member states to help European cloud service providers achieve scale and compete globally. A focus of the partnership will include overcoming regulatory fragmentation by:
    • Approving Binding Corporate Rules for cloud computing by EU member state DPAs.
    • Creating an industry code of conduct in collaboration with cloud computing service providers and approved by the Article 29 Working Party.
    • Coordinating with the U.S. and other countries on protocol for access to cloud-stored data by law enforcement, global cybersecurity.
  • Encouraging swift adoption of the new EU Data Protection Framework announced earlier this year.

Forward Article Back to Top


UK ICO Confirms Business is Responsible for Customer Data Stored in the Cloud

On September 27, 2012 the Office of the UK Information Commissioner (ICO) released new guidance for businesses that outsource data for cloud storage. The document, Guide to Cloud Computing (Guide), reminds companies that they remain responsible for how personal data is managed and protected when they transmit and store that data to third party cloud service providers.

According to a press release, the ICO acted on the belief that many businesses are moving data to the cloud but are unaware that they remain responsible for that data.

The Guide includes the following practical suggestions:

  • Assess the risk associated with processing highly sensitive data in the cloud.
  • Consider the physical, technical and administrative security of the cloud service provider and seek assurances about security to prevent unauthorized access or disrupting a company’s legitimate access to the data.
  • Implement robust access controls
  • Use third party audits and certifications.
  • Have a written contract in place that prohibits the cloud service provider from changing the terms of service without consent.
  • Put a policy in place that makes clear what the company’s expectations are of the cloud service provider in order to avoid liability for the cloud service provider’s actions.
  • Remember that international data transfers data bring a number of obligations, including for the use of off shore cloud-based storage.

Given the ICO’s unambiguous stance that businesses are liability for data stored by third party cloud service providers, companies should conduct appropriate due diligence to ensure that their cloud service providers have thoroughly evaluated risk and are complying with applicable law.

Forward Article Back to Top


UPDATES

Privacy Class Action Against Pandora Dismissed

On September 27, 2012 a federal court issued an Order in Deacon v. Pandora Media, Inc.1 dismissing a class action against Internet radio service provider Pandora Media, Inc. (Pandora). The Plaintiff alleged that the company made the Plaintiff’s profile information publicly available and posted his listening activities on Facebook in violation of Michigan’s Video Rental Privacy Act2 (VRPA) and Consumer Protection Act3 (CPA).

Specifically the Plaintiff alleged that Pandora violated the VRPA by making his profile searchable on the web, thereby disclosing his listening activities to third parties, and posting this information on Facebook. The VRPA prohibits “video tape service providers” from disclosing data about an individual’s video rental activities. The VRPA also applies to other content providers. It provides in relevant part:

  • [anyone] engaged in the business of selling at retail, renting, or lending …sound recordings or video recordings shall not disclose to any person, other than the customer, a record or information concerning the purchase, lease rental or borrowing of those materials by a customer that indicates the identity of that customer.

The Court concluded that the Plaintiff failed to allege facts sufficient to state a claim under the VPRA because Pandora “never rented, lent or sold sound recordings to him, according to the dictionary definition of those terms. Accordingly, the Court dismissed the Complaint with leave to amend. The Court also dismissed the CPA claim on grounds that the Plaintiff failed to plead facts that were sufficient to establish that he had suffered loss, as required under the statute.

The VPRA is one of several state versions of the federal Video Privacy Protection Act4 (VPPA). The integration of social sharing tools by online video service and other content providers has coincided with an uptick in litigation under the VPPA and state equivalents.


1 Case No: C 11-04674 SBA (D.D. Nothern Cal September 27, 2012).
2 Mich. Comp. Laws §445.1711-175.
3 Mich. Comp. Laws §445.903.
4 18 U.S.C. §2710.

Forward Article Back to Top


California Governor Signs Laws Limiting Employer Access to Social Media Accounts

On September 27, 2012, California Governor Jerry Brown signed into law measures that increase protections for certain social media users in California. The measures prohibit employers and universities from requiring that applicants provide their email or social media account login credentials. The laws take effect January 1, 2013.

As we reported previously, AB 1844 prohibits employers from demanding user names, passwords or any other information related to social media accounts from employees and job applicants. Under the law employers are also prohibited from discharging or disciplining employees who refuse to divulge such information. This prohibition does not apply to passwords or other information used to access employer-issued electronic devices. The bill does allow employers to request or require access to personal social media accounts under limited circumstances to investigate employee misconduct or if necessary to access an employer-issued device.

SB 1349 imposes similar restrictions on postsecondary institutions with respect to students’ use of social media. The bill prohibits public and private institutions from requiring students, prospective students and student groups to disclose user names, passwords or other information about their use of social media. This prohibition does not affect the schools’ right to investigate or punish student misconduct.

Forward Article Back to Top


PCI Data Security Council Issues Best Practices for Mobile Payment Acceptance App Security

On September 13, 2012 the PCI Security Standards Council (PSCI SSC) issued new guidelines for mobile payment acceptance security. As we reported previously, the PCI SSC issued a “fact sheet” in May to help merchants securely accept payments when using a mobile device consistent with the PCI data security standard (PCI DSS). The fact sheet was intended to be a first step toward facilitating fully secure mobile payments. The new Guidelines, PCI Mobile Payment Acceptance Security Guidelines (Guidelines), recommend best practices for developers and mobile device manufacturers that are intended to encourage the design of appropriate security controls for preventing a growing number of threats. Some of these threats include “man-in-the- middle” attacks and malware. The Guidelines should be useful to merchants that develop their own mobile payment apps.

The Guidelines focus on payment applications that operate on any consumer electronic handheld device -- such as a smartphone, tablet or PDA -- that is not solely dedicated to payment-acceptance transaction processing in order to secure actual payment transactions over these devices. Specifically, the Guidelines recommend how to best 1) prevent interceptions during payment data entry into a mobile device; and 2) secure the mobile payment application platform environment to prevent data leakage while payments are processed or stored within the mobile device.

Recommendations include:

  • Encrypting data in accord with PCI standards prior to entry into and upon exit from a mobile device.
  • Processing account data only in a “trusted execution environment.”
  • Prohibiting unnecessary third-party access and escalation of privileges.
  • Enabling remote disabling of a payment application by the merchant or payment solution provider without interfering with other device applications.
  • Reporting attempted unauthorized access.

Forward Article Back to Top


FTC Issues Guide for Mobile App Developers

On September 5, 2012 the FTC issued advertising guidelines for mobile app developers entitled Marketing Your Mobile App: Get It Right from the Start. According the FTC’s announcement, the purpose of the guide is to assist mobile app developers observe basic privacy and truth in advertising principles when marketing their apps. Specific guidelines include the following privacy principles:

  • Be transparent about data collection, use, retention and disclosure practices and adhere to your privacy promises.
  • Build privacy considerations in from the tart including getting consent for practices that are not apparent to users.
  • Offer choices and tools that are easy to find and use, and honor those choices. Protect Kids’ Privacy.
  • Collect Sensitive Information, such as medical, financial or geolocation data, only with consent.
  • Keep user data secure including complying with legal requirements for doing so that apply to certain categories of sensitive data.

The Guide’s truth in advertising principles includes “telling the truth” about what an app can do and disclose key information clearly and conspicuously.

The release of the guide occurs at a time when mobile app privacy is garnering significant attention by lawmakers, regulators, industry self-regulatory bodies and privacy class action lawyers. In order to minimize risk it is important that developers familiarize themselves with applicable rules, self-regulatory frameworks and guidelines and understand the interplay of each when implementing privacy and data protection practices and policies.

Forward Article Back to Top


NEWS & ANNOUNCEMENTS

Karen Neuman to Discuss Connected Car Privacy at San Diego Auto Content and Apps Conference
Karen Neuman will participate in a gathering of auto, app, content and other tech executives December 4-5 in San Diego to discuss business models for fueling the expansion of the connected car. Her remarks will focus on maximizing consumer trust and minimizing legal risk in the connected car ecosystem as car and tech companies bring social marketing and a plethora of content and services to the “fourth screen.”

Forward Back to Top


Copyright © 2012 St. Ledger-Roty & Olson, LLP.
1250 Connecticut Avenue, N.W., Suite 200, Washington D.C 20036